astro vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-54298Mediumastro: Astro: XSS via Unescaped Attribute Names in Spread PropsCVE-2026-54299Highastro: Astro: Host header SSRF in prerendered error page fetchCVE-2026-50146Highastro: Astro: Reflected XSS via unescaped slot nameCVE-2026-45028Lowastro: Astro: Server island encrypted parameters vulnerable to cross-component replayCVE-2026-41067Mediumastro: Astro: XSS in define:vars via incomplete </script> tag sanitizationCVE-2026-33769Lowastro: Astro: Remote allowlist bypass via unanchored matchPathname wildcardCVE-2025-66202Mediumastro: Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765CVE-2025-65019Mediumastro: Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpointCVE-2025-64765Mediumastro: Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded…CVE-2025-64764Highastro: Astro vulnerable to reflected XSS via the server islands featureCVE-2025-64757Lowastro: Astro Development Server has Arbitrary Local File ReadCVE-2025-64525Mediumastro: Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypassCVE-2025-64745Lowastro: Astro development server error page is vulnerable to reflected Cross-site ScriptingCVE-2025-59837Highastro: Astro's bypass of image proxy domain validation leads to SSRF and potential XSSCVE-2025-61925Mediumastro: Astro's `X-Forwarded-Host` is reflected without validationCVE-2025-55303Medium@astrojs/node: Astro allows unauthorized third-party images in _image endpointCVE-2025-54793Mediumastro: Astros's duplicate trailing slash feature leads to an open redirection security issueCVE-2024-56159Highastro: Astro's server source code is exposed to the public if sourcemaps are enabledCVE-2024-56140Mediumastro: Atro CSRF Middleware Bypass (security.checkOrigin)CVE-2024-47885Mediumastro: DOM Clobbering Gadget found in astro's client-side router that leads to XSS

Stop the waste.
Protect your environment with Kodem.