Web Framework Vulnerability in Astro by WithAstro
CVE-2026-41067

6.1MEDIUM

Key Information:

Vendor: Withastro
Status: Astro
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41067?

Astro, a popular web framework, suffered from a vulnerability due to improper sanitization within its server-side rendering pipeline. Specifically, the function responsible for processing script variables used a case-sensitive regex to clean values injected into inline tags. This oversight allowed attackers to bypass the checks using variations of the script closing tag, such as '' or ''. Consequently, this could lead to the injection of arbitrary HTML/JavaScript, posing a significant risk to users. The issue was rectified in version 6.1.6.

Affected Version(s)

astro < 6.1.6

References

https://github.com/withastro/astro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41067 Data

JSON

Withastro

What is CVE-2026-41067?

Affected Version(s)

References

CVSS V3.1

Timeline