bbot
PyPI8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting bbotpage 1 of 1
- CVE-2025-10281MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.7.02025-10-09
vulnerable: 1.0.0 ... 2.6.1.6915rc0 (625 versions)
BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.
- CVE-2025-10282MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.7.22025-10-09
vulnerable: 2.7.0.6919rc0 ... 2.7.1.7212rc0 (36 versions)
BBOT's gitlab module could be abused to disclose a GitLab API key to an attacker controlled server with a malicious formatted git URL.
- CVE-2025-10283CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.7.02025-10-09
vulnerable: 1.0.0 ... 2.6.1.6915rc0 (625 versions)
BBOT's gitdumper module could be abused to execute commands through a malicious git repository.
- CVE-2025-10284CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.7.02025-10-09
vulnerable: 1.0.0 ... 2.6.1.6915rc0 (625 versions)
BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution.
- CVE-2026-12565MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.8.52026-06-17
vulnerable: 2.3.1 ... 2.8.4.7578rc0 (218 versions)
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addresse…
- CVE-2026-12566LOWCVSS 3.1EG 3.1✓ Fixed in 2.8.52026-06-17
vulnerable: 2.0.0 ... 2.8.4.7578rc0 (387 versions)
The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry cou…
- CVE-2026-12567LOWCVSS 2.2EG 2.2✓ Fixed in 2.8.52026-06-17
vulnerable: 2.0.0 ... 2.8.4.7578rc0 (387 versions)
The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing wor…
- CVE-2026-12568MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.8.62026-06-17
vulnerable: 2.1.0 ... 2.8.5 (334 versions)
The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path …
Check whether bbot is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for bbot CVEs against the assets you own.
Start Free Scan →