npm / astro

Astro: Reflected XSS via unescaped slot name

Modified: 6/16/2026

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Modified: 11/27/2025

Atro CSRF Middleware Bypass (security.checkOrigin)

Modified: 11/27/2025

Astros's duplicate trailing slash feature leads to an open redirection security issue

Modified: 11/27/2025

Astro: Host header SSRF in prerendered error page fetch

Modified: 6/16/2026

Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values

Modified: 2/4/2026

Astro's server source code is exposed to the public if sourcemaps are enabled

Modified: 11/27/2025

Astro's `X-Forwarded-Host` is reflected without validation

Modified: 10/11/2025

DOM Clobbering Gadget found in astro's client-side router that leads to XSS

Modified: 11/27/2025

Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Modified: 4/8/2026

Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass

Modified: 11/13/2025

Astro: XSS in define:vars via incomplete </script> tag sanitization

Modified: 5/5/2026

Astro: XSS via Unescaped Attribute Names in Spread Props

Modified: 6/16/2026

Astro's bypass of image proxy domain validation leads to SSRF and potential XSS

Modified: 10/29/2025

Astro development server error page is vulnerable to reflected Cross-site Scripting

Modified: 11/27/2025

Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765

Modified: 2/4/2026

Astro vulnerable to reflected XSS via the server islands feature

Modified: 11/20/2025

Astro Development Server has Arbitrary Local File Read

Modified: 11/20/2025

Astro allows unauthorized third-party images in _image endpoint

Modified: 11/27/2025

Astro: Server island encrypted parameters vulnerable to cross-component replay

Modified: 5/14/2026