@antonyfaris/prefix-node-builtins (>=1.0.0 <=1.0.1), @anyauth/design-system (>=0.5.0 <=0.5.1) +354 more potentially affected by CVE-2026-33769 via astro (>=2.10.12 <=5.18.0)

astro NPM version =2.10.12, =1.0.0, =0.5.0, =1.0.0, =0.0.17, =0.0.2, =0.2.0, =0.0.0-experimental-7c2f356, =0.0.0-experimental-7c2f356, =0.0.1, =0.0.1, =0.0.1, =0.3.3 and more Source cves: CVE-2026-33769 Source advisory: OSV:GHSA-G735-7G2W-HH3F...

CVE-2026-33769

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that...

@1771technologies/lytenyte-doc (=1.0.13), @1771technologies/oneplay (>=0.0.1 <=0.0.6) +554 more potentially affected by CVE-2026-33769 via @astrojs/internal-helpers (>=0.0.0-markdoc-config-changes-20230626153541 <=0.7.5)

@astrojs/internal-helpers NPM version =0.0.0-markdoc-config-changes-20230626153541, =0.0.1, =0.0.3, =0.2.0, =1.3.0, =0.9.0, =0.5.2, =1.0.0, =0.5.0, =1.0.0, =1.0.0, =0.0.17, =0.0.2, =0.0.10 and more Source cves: CVE-2026-33769 Source advisory: SNYK:JS-ASTROJSINTERNALHELPERS-15763364...

CVE-2026-33769

CVE-2026-33769 affects the Astro web framework. From version 2.10.10 up to before 5.18.1, the remotePatterns path enforcement for remote URLs used by server-side fetchers (e.g., image optimization) uses an unanchored match for /* wildcards, allowing a pathname containing the allowed prefix later ...