Server-Side Request Forgery in AstrBotDevs AstrBot Affects Multiple Versions
CVE-2026-15500
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 12 July 2026
Badges
What is CVE-2026-15500?
A vulnerability has been detected in AstrBotDevs AstrBot versions up to 4.25.2, specifically within the get_online_plugins function of the market_list endpoint. By manipulating the custom_registry parameter, an attacker can execute a server-side request forgery (SSRF) from a remote location. This can potentially allow for unauthorized access to internal resources. The exploit for this vulnerability has been publicly disclosed, although there has been no response from the vendor regarding the matter.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
