Lucene search
K

660 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:16 p.m.6 views

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

6.3CVSS5.8AI score0.00325EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

7.5CVSS5.8AI score0.0037EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.4 views

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References1
vulnersOsv
vulnersOsv
added 2026/03/24 8:33 p.m.6 views

@stnd/build (=0.18.70), stnd (=0.18.70) potentially affected by CVE-2026-29772 via astro (=6.0.0-beta.1)

astro NPM version =6.0.0-beta.1 is affected by a known vulnerability. The following packages have a transitive dependency on astro and may be impacted: - @stnd/build =0.18.70 - stnd =0.18.70 Source cves: CVE-2026-29772 Source advisory: SNYK:JS-ASTRO-15763371...

7.5CVSS5.8AI score0.0037EPSS
Exploits1
Snyk
Snyk
added 2026/03/24 8:33 p.m.3 views

Allocation of Resources Without Limits or Throttling

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the /server-islands/name route handler, which buffers and parses the entire...

8.7CVSS5.8AI score0.0037EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/03/24 8:33 p.m.6 views

@1771technologies/lytenyte-doc (=1.0.13), @1771technologies/oneplay (>=0.0.1 <=0.0.6) +577 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.0.0-markdoc-config-changes-20230626153541 <=0.7.5)

@astrojs/internal-helpers NPM version =0.0.0-markdoc-config-changes-20230626153541, =0.0.1, =0.0.3, =0.2.0, =1.1.0, =1.0.0, =1.3.0, =0.9.0, =0.5.2, =1.0.0, =0.5.0, =1.0.0, =1.0.0, =1.0.7 - @arya-technologies/astro-template =0.0.1 and more Source cves: CVE-2026-33769 Source advisory:...

6.3CVSS5.7AI score0.00325EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/03/24 8:33 p.m.8 views

@astrojs/cloudflare (>=13.0.0-beta.4 <=13.0.0-beta.14), @astrojs/markdoc (>=1.0.0-beta.7 <=1.0.0-beta.15) +8 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.8.0-beta.0 <=0.8.0-beta.3)

@astrojs/internal-helpers NPM version =0.8.0-beta.0, =13.0.0-beta.4, =1.0.0-beta.7, =7.0.0-beta.4, =5.0.0-beta.4, =7.0.0-beta.6, =10.0.0-beta.1, =10.0.0-beta.1, =6.0.0-beta.7, =6.0.0-beta.20 Source cves: CVE-2026-33769 Source advisory: SNYK:JS-ASTROJSINTERNALHELPERS-15763364...

6.3CVSS5.8AI score0.00325EPSS
Exploits1
Snyk
Snyk
added 2026/03/24 8:30 p.m.4 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview @astrojs/vercel is a Deploy your site to Vercel Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the x-astro-path header or xastropath query parameter, which allows overriding internal request paths without authentication. An...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/24 7:29 p.m.3 views

EUVD-2026-14962

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands...

5.9CVSS5.8AI score0.0037EPSS
Exploits1References3
vulnersOsv
vulnersOsv
added 2026/03/24 7:29 p.m.6 views

astro-service-worker (=0.0.1) potentially affected by CVE-2026-29772 via @astrojs/node (=0.1.6)

@astrojs/node NPM version =0.1.6 is affected by a known vulnerability. The following packages have a transitive dependency on @astrojs/node and may be impacted: - astro-service-worker =0.0.1 Source cves: CVE-2026-29772 Source advisory: OSV:GHSA-3RMJ-9M5H-8FPV...

7.5CVSS5.8AI score0.0037EPSS
Exploits1
NVD
NVD
added 2026/03/24 7:16 p.m.6 views

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

9.1CVSS0.00331EPSS
Exploits1References4
NVD
NVD
added 2026/03/24 7:16 p.m.7 views

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

6.3CVSS0.00325EPSS
Exploits1References1
NVD
NVD
added 2026/03/24 7:16 p.m.4 views

CVE-2026-29772

Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achiev...

7.5CVSS0.0037EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/24 6:44 p.m.18 views

CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

6.3CVSS0.00325EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/24 6:44 p.m.3 views

CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

6.3CVSS5.8AI score0.00325EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:44 p.m.5 views

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

6.3CVSS5.8AI score0.00325EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/24 6:44 p.m.6 views

CVE-2026-33769 Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

6.3CVSS5.9AI score0.00325EPSS
Exploits1References3
CVE
CVE
added 2026/03/24 6:44 p.m.18 views

CVE-2026-33769

CVE-2026-33769 affects the Astro web framework. From version 2.10.10 up to before 5.18.1, the remotePatterns path enforcement for remote URLs used by server-side fetchers (e.g., image optimization) uses an unanchored match for /* wildcards, allowing a pathname containing the allowed prefix later ...

6.3CVSS5.8AI score0.00325EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/03/24 6:40 p.m.18 views

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS0.00331EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/03/24 6:40 p.m.3 views

CVE-2026-33768 Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

6.5CVSS5.8AI score0.00331EPSS
Exploits1References4
Rows per page
Query Builder