CVE-2026-6118 | AstrBotDevs AstrBot up to 4.22.1 MCP Endpoint tools.py add_mcp_server command command injection (Issue 7169)

A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. It has been classified as critical. Impacted is the function add_mcp_server of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection.

This vulnerability is tracked as CVE-2026-6118. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-6118 | AstrBotDevs AstrBot up to 4.22.1 MCP Endpoint tools.py add_mcp_server command command injection (Issue 7169)

Post correlati

CVE-2025-40887 | Nozomi Guardian/CMC up to 25.1.x Alert sql injection

CVE-2025-0335 | code-projects Online Bike Rental System 1.0 Change Image unrestricted upload

CVE-2024-27040 | Linux Kernel up to 6.6.22/6.7.10/6.8.1 edp_set_replay_allow_active null pointer dereference

CVE-2025-12461 | Grupo Castilla Epsilon RH 3.03.36.0185 About.aspx insufficiently protected credentials