Description
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Template Engine Injection
Action: Assess Impact
AI Analysis

Impact

A flaw in the create_template function of AstrBot’s Dashboard API causes the template engine to fail to neutralize special elements in user‑supplied templates. Because the engine accepts these elements without proper escaping, crafted template content can be executed by the server, potentially allowing an attacker to modify application behavior or inject malicious code into the rendering process. The CVE description does not explicitly confirm that arbitrary code execution is guaranteed, but the weakness could be leveraged for further compromise.

Affected Systems

The vulnerability affects AstrBotDevs AstrBot versions up to and including 4.22.1. The affected component is the Dashboard API, specifically the t2i.py route that processes create_template requests. All deployments of the product before the 4.22.1 release are potentially susceptible.

Risk and Exploitability

The CVSS base score of 5.1 places the flaw in the moderate severity range, while the EPSS score of <1% indicates a very low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, but the availability of a public exploit suggests that attackers can target the create_template endpoint remotely. The likely attack vector is an HTTP request that supplies a malicious template payload to the API endpoint. Given the low EPSS, the risk is moderate but should still be monitored.

Generated by OpenCVE AI on April 28, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or block access to the /dashboard/t2i/create_template endpoint using firewall or application‑level rules to prevent unauthorized requests.
  • Disable the template‑creation feature entirely if it is not required, or replace the current template engine with one that enforces strict input validation until a vendor patch is available.
  • Continuously monitor application logs for attempts to inject or render templates, and be alert for vendor updates or security advisories related to this issue.

Generated by OpenCVE AI on April 28, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h3rr-9wqj-v3c6 AstrBot has Incomplete Filtering of Special Elements
History

Sat, 25 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function create_template of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title AstrBotDevs AstrBot Dashboard API t2i.py create_template special elements used in a template engine
First Time appeared Astrbot
Astrbot astrbot
Weaknesses CWE-1336
CWE-791
CPEs cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*
Vendors & Products Astrbot
Astrbot astrbot
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Astrbot Astrbot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T17:32:51.922Z

Reserved: 2026-04-24T19:07:50.276Z

Link: CVE-2026-6984

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-25T16:16:17.550

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses