VYPR

Vendor CVEs

Withastro

All CVEs

31 total · sorted by risk
  • CVE-2018-7180CriFeb 17, 2018
    risk 0.67cvss 9.8epss 0.03

    SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.

  • CVE-2026-30118CriMay 19, 2026
    risk 0.57cvss 9.8epss 0.00

    scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs,…

  • CVE-2026-30117CriMay 19, 2026
    risk 0.57cvss 9.8epss 0.01

    scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.

  • CVE-2026-54299higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Summary Astro SSR apps with prerendered error pages (`/404` or `/500` using `export const prerender = true`) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from `request.url`, which in turn gets its origin from the incoming…

  • CVE-2026-50146higJun 16, 2026
    risk 0.45cvss epss 0.00

    ## Summary When a component uses a `client:*` directive, Astro inserts named slot content into a `data-astro-template` attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS…

  • CVE-2026-41067MedApr 24, 2026
    risk 0.40cvss 6.1epss 0.00

    Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements…

  • CVE-2026-45028MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one…

  • CVE-2025-55207MedAug 15, 2025
    risk 0.29cvss epss 0.01

    Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would…

  • CVE-2026-54298Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary The `spreadAttributes` function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to `addAttribute`, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax `{...props}` on…

  • CVE-2026-54300Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary `@astrojs/netlify` converts Astro `image.remotePatterns` into Netlify Image CDN `images.remote_images` regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as `*.example.com` is converted to an optional subdomain…

  • CVE-2026-33769Mar 24, 2026
    risk 0.00cvss epss 0.00

    Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a…

  • CVE-2026-33768Mar 24, 2026
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets…

  • CVE-2026-29772Mar 24, 2026
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small…

  • CVE-2026-27829Feb 26, 2026
    risk 0.00cvss epss 0.00

    Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that…

  • CVE-2026-27729Feb 24, 2026
    risk 0.00cvss epss 0.00

    Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can lead to memory exhaustion DoS. A single large POST to a valid action endpoint can crash the server process on memory-constrained deployments.…

  • CVE-2026-25545Feb 24, 2026
    risk 0.00cvss epss 0.01

    Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on…

  • CVE-2025-66202Dec 8, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was…

  • CVE-2025-64765Nov 19, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to…

  • CVE-2025-64764Nov 19, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8.

  • CVE-2025-65019Nov 19, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data:…

  • CVE-2025-64757Nov 19, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and…

  • CVE-2025-64745Nov 13, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary…

  • CVE-2025-64525Nov 13, 2025
    risk 0.00cvss epss 0.01

    Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x-forwarded-proto` and `x-forwarded-port` are insecurely used, without sanitization, to build the URL. This has several consequences, the most…

  • CVE-2025-59837Oct 28, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validation can be bypassed by using backslashes in the href parameter, allowing server-side requests to arbitrary URLs. This can lead to server-side request…

  • CVE-2025-61925Oct 10, 2025
    risk 0.00cvss epss 0.00

    Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in `X-Forwarded-Host` in output when using `Astro.url` without any validation. It is common for web servers such as nginx to route requests via the `Host` header, and forward on other request headers. As…

  • CVE-2025-58179Sep 4, 2025
    risk 0.00cvss epss 0.01

    Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint…

  • CVE-2025-55303Aug 19, 2025
    risk 0.00cvss epss 0.01

    Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built…

  • CVE-2025-54793Aug 8, 2025
    risk 0.00cvss epss 0.01

    Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external…

  • CVE-2024-56159Dec 19, 2024
    risk 0.00cvss epss 0.01

    Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a…

  • CVE-2024-56140Dec 18, 2024
    risk 0.00cvss epss 0.00

    Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. When the `security.checkOrigin` configuration option is set to `true`, Astro middleware will perform a CSRF check.…

  • CVE-2024-47885Oct 14, 2024
    risk 0.00cvss epss 0.00

    The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML…