CVE-2026-59731
Astro 6.4.7 contains an authorization bypass due to improper handling of partially decoded pathnames after the iterative URL decoder limit, with an additional decodeURI() during rewrite route matching that can lead to accessing a protected route. The issue affects 6.4.7 and is fixed in 6.4.8. The...