Astro

This hub aggregates every CVE we track for Astro, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Astro.

• CVE-2026-54299Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorPageFetch default + unvalidated createRequestFromNodeRequest URL)7.5Jun 22, 2026
• CVE-2026-54298Astro: XSS via Unescaped Attribute Names in Spread Props4.2Jun 22, 2026
• CVE-2026-50146Astro: Reflected XSS via unescaped slot name7.1Jun 22, 2026
• CVE-2026-54300@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config5.3Jun 22, 2026
• CVE-2026-45028Astro: Server island encrypted parameters vulnerable to cross-component replay6.1May 13, 2026
• CVE-2026-42349Clerk: Authorization bypass when combining organization, billing, or reverification checks8.1May 11, 2026
• CVE-2026-41248Official Clerk JavaScript SDKs: Middleware-based route protection bypass9.1Apr 24, 2026
• CVE-2026-41322@astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed5.3Apr 24, 2026
• CVE-2026-41067Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass6.1Apr 24, 2026
• CVE-2026-33769Astro: Remote allowlist bypass via unanchored matchPathname wildcard5.3Mar 24, 2026
• CVE-2026-33768Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`6.5Mar 24, 2026
• CVE-2026-29772Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands5.9Mar 24, 2026
• CVE-2026-27829Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize6.5Feb 26, 2026
• CVE-2026-27729Astro has memory exhaustion DoS due to missing request body size limit in Server Actions5.9Feb 24, 2026
• CVE-2026-25545Astro has Full-Read SSRF in error rendering via Host: header injection8.6Feb 24, 2026