CVE-2026-47157
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
aiograpi is an asynchronous Instagram API for Python. Versions before 0.9.10 accepted server-supplied signup challenge paths, which could lead to building request URLs without prior validation, creating a risk of attacks.
Risk Assessment
An attacker could exploit this vulnerability to send requests to unintended Instagram hosts, potentially leading to the exposure of the client's session data.
Recommendation
It is recommended to upgrade to version 0.9.10 or later, which introduces validation of challenge paths before building URLs.
Original NVD description (English source)
aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.

