withastro

Top products

The 15 most recently published vulnerabilities affecting withastro.

• CVE-2026-54299Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorPageFetch default + unvalidated createRequestFromNodeRequest URL)7.5Jun 22, 2026
• CVE-2026-54298Astro: XSS via Unescaped Attribute Names in Spread Props4.2Jun 22, 2026
• CVE-2026-50146Astro: Reflected XSS via unescaped slot name7.1Jun 22, 2026
• CVE-2026-54300@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config5.3Jun 22, 2026
• CVE-2026-45028Astro: Server island encrypted parameters vulnerable to cross-component replay6.1May 13, 2026
• CVE-2026-41322@astrojs/node: Cache Poisoning due to incorrect error handling when if-match header is malformed5.3Apr 24, 2026
• CVE-2026-41321@astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint2.2Apr 24, 2026
• CVE-2026-41067Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass6.1Apr 24, 2026
• CVE-2026-33769Astro: Remote allowlist bypass via unanchored matchPathname wildcard5.3Mar 24, 2026
• CVE-2026-33768Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`6.5Mar 24, 2026
• CVE-2026-29772Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands5.9Mar 24, 2026
• CVE-2026-27829Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize6.5Feb 26, 2026
• CVE-2026-27729Astro has memory exhaustion DoS due to missing request body size limit in Server Actions5.9Feb 24, 2026
• CVE-2026-25545Astro has Full-Read SSRF in error rendering via Host: header injection8.6Feb 24, 2026
• CVE-2025-66202Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-647656.5Dec 8, 2025