Cross-Site Scripting Vulnerability in AstrBotDevs AstrBot Product
CVE-2026-16073
Key Information:
- Vendor
Astrbotdevs
- Status
- Vendor
- CVE Published:
- 17 July 2026
Badges
What is CVE-2026-16073?
A security vulnerability has been identified in the AstrBotDevs AstrBot application, specifically within the T2I Feature which utilizes the NetworkRenderStrategy. The flaw resides in the 'Star.text_to_image' function located in the 'astrbot/core/star/base.py' file. This vulnerability allows an attacker to execute cross-site scripting attacks remotely, potentially compromising user data and application integrity. The issue was made public after the vendor was notified but did not respond. Effective remediation strategies include updating to the latest version and implementing security measures to mitigate XSS risks.
Affected Version(s)
AstrBot 4.25.0
AstrBot 4.25.1
AstrBot 4.25.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
