CVE-2026-47157

Published: Jun 11, 2026Modified: Jun 11, 2026Deferred

6.5

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/subzeroid/aiograpi/commit/9c24151916beca622e588bfb3167c98711ff744f

Source: security-advisories@github.com

https://github.com/subzeroid/aiograpi/pull/274

Source: security-advisories@github.com

https://github.com/subzeroid/aiograpi/releases/tag/0.9.10

Source: security-advisories@github.com

https://github.com/subzeroid/aiograpi/security/advisories/GHSA-jh37-x3fv-4x72

Source: security-advisories@github.com

Timeline

No history available yet.