Lucene search
+L

673 matches found

EUVD
EUVD
added 2026/04/24 5:8 p.m.8 views

EUVD-2026-25580

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References1
OSV
OSV
added 2026/04/24 5:8 p.m.3 views

CVE-2026-41322 @astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...

5.3CVSS5.8AI score0.00238EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/24 4:57 p.m.30 views

CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS0.00189EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 4:57 p.m.5 views

CVE-2026-41067

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline ,...

6.1CVSS5.2AI score0.00189EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 4:57 p.m.3 views

CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS5.5AI score0.00189EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/24 4:57 p.m.5 views

EUVD-2026-25573

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS5.5AI score0.00189EPSS
Exploits1References1
CVE
CVE
added 2026/04/24 4:57 p.m.21 views

CVE-2026-41067

Summary: CVE-2026-41067 affects Astro’s SSR pipeline, where defineScriptVars sanitizes inline script values using a case-sensitive //g regex. This fails to match closing script tags when payloads use case variants (e.g., ), whitespace before &gt; (), or self-closing forms (), allowing injected HT...

6.1CVSS5.5AI score0.00189EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/04/24 4:57 p.m.3 views

CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS6AI score0.00189EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.12 views

Astro 安全漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 10.0.5 contained security vulnerabilities; these vulnerabilities stemmed from incorrect status codes returned when processing the if-match header, which could lead to static resource caching erro...

5.3CVSS5.8AI score0.00238EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.11 views

Astro 代码问题漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 13.1.10 had code vulnerabilities. These vulnerabilities stemmed from the use of default redirection behavior in fetch calls, which could allow Cloudflare Workers to bypass domain whitelist checks...

2.2CVSS5.9AI score0.00199EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.12 views

Astro 跨站脚本漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 6.1.6 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of case-sensitive regular expressions in the defineScriptVars function, which cleaned and injected...

6.1CVSS5.8AI score0.00189EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/23 2:36 p.m.12 views

Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

Summary Requesting a static JS/CSS resource from the astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases. As a result, all subsequent requests to that file — regardless of the if-match header — will be served a...

5.3CVSS5.7AI score0.00238EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/23 2:36 p.m.6 views

@chocolatey-software/astro (=2.7.0), astro-service-worker (=0.0.1) potentially affected by CVE-2026-41322 via @astrojs/node (>=0.1.6 <=10.0.4)

@astrojs/node NPM version =0.1.6, =10.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on @astrojs/node and may be impacted: - @chocolatey-software/astro =2.7.0 - astro-service-worker =0.0.1 Source cves: CVE-2026-41322 Source advisory:...

5.3CVSS5.8AI score0.00238EPSS
Exploits0
OSV
OSV
added 2026/04/23 2:36 p.m.8 views

GHSA-C57F-MM3J-27Q9 Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed

Summary Requesting a static JS/CSS resource from the astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases. As a result, all subsequent requests to that file — regardless of the if-match header — will be served a...

5.3CVSS5.7AI score0.00238EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.12 views

PT-2026-34681

Summary Requesting a static JS/CSS resource from the astro path with an incorrect or malformed if-match header returns a 500 error with a one-year cache lifetime instead of 412 in some cases. As a result, all subsequent requests to that file — regardless of the if-match header — will be served a...

5.3CVSS5.7AI score0.00238EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/21 8:39 p.m.14 views

Astro: XSS in define:vars via incomplete </script> tag sanitization

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

6.1CVSS6AI score0.00189EPSS
Exploits1References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/21 8:39 p.m.9 views

@1771technologies/oneplay (>=0.0.1 <=0.0.6), @akalymon/web (=0.1.0) +631 more potentially affected by CVE-2026-41067 via astro (>=0.20.12 <=6.1.5)

astro NPM version =0.20.12, =0.0.1, =0.1.6, =1.0.0, =0.5.0, =1.0.0, =1.0.0, =0.0.17, =0.0.2, =0.0.1, =0.2.0, =0.3.0 and more Source cves: CVE-2026-41067 Source advisory: OSV:GHSA-J687-52P2-XCFF...

6.1CVSS5.7AI score0.00189EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/04/21 8:39 p.m.7 views

@chocolatey-software/astro (>=2.7.0 <=2.8.0), @kyro-cms/admin (=0.1.2) +9 more potentially affected by CVE-2026-41067 via astro (>=6.0.0-beta.1 <=6.1.5)

astro NPM version =6.0.0-beta.1, =2.7.0, =0.19.0, =0.19.0, =1.10.0, =1.0.0, =1.4.2, =0.0.1, =0.0.1, =0.0.7 Source cves: CVE-2026-41067 Source advisory: SNYK:JS-ASTRO-16119128...

6.1CVSS5.7AI score0.00189EPSS
Exploits1
Snyk
Snyk
added 2026/04/21 8:39 p.m.5 views

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the defineScriptVars function due to incomplete sanitization of closing tags within injected variables. A...

6.1CVSS5.5AI score0.00189EPSS
Exploits1References2
OSV
OSV
added 2026/04/21 8:39 p.m.19 views

GHSA-J687-52P2-XCFF Astro: XSS in define:vars via incomplete </script> tag sanitization

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

6.1CVSS6AI score0.00189EPSS
Exploits1References4
Rows per page
Query Builder