A vulnerability, which was classified as critical, was found in AstrBotDevs AstrBot up to 4.25.2. Affected by this vulnerability is the function
get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the component market_list Endpoint. Executing a manipulation of the argument custom_registry can lead to server-side request forgery.
This vulnerability is handled as CVE-2026-15500. The attack can be executed remotely. Additionally, an exploit exists.
The vendor was contacted early about this disclosure but did not respond in any way.