CVE-2026-47157 — aiograpi: Unsafe signup challenge path handling

Description

aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended Instagram host with the client\'s existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.

How to fix CVE-2026-47157

To remediate CVE-2026-47157, upgrade the affected package to a fixed version below.

—upgrade to 0.9.10 or later

Is CVE-2026-47157 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47157.

Affected packages (1)

from 0, < 0.9.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47157
PATCHgithub.com/subzeroid/aiograpi
WEBgithub.com/subzeroid/aiograpi/commit/9c24151916beca622e588bfb3167c98711ff744f
WEBgithub.com/subzeroid/aiograpi/pull/274
WEB