VYPR
, , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41067"]},"keywords":"CVE-2026-41067, Medium, CWE-79, Withastro Astro","mentions":[{"@type":"SoftwareApplication","name":"Astro","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Withastro"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-41067","item":"https://portal.vyprsec.ai/cves/CVE-2026-41067"}]}]}
Medium severity6.1NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-41067

CVE-2026-41067

Description

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline , , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
astronpm
< 6.1.66.1.6

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.