{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41067", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.174Z", "datePublished": "2026-04-24T16:57:22.940Z", "dateUpdated": "2026-04-24T18:16:55.536Z"}, "containers": {"cna": {"title": "Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff"}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"version": "< 6.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T16:57:22.940Z"}, "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6."}], "source": {"advisory": "GHSA-j687-52p2-xcff", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T17:27:06.343054Z", "id": "CVE-2026-41067", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:16:55.536Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41067", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T17:27:06.343054Z"}}}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T17:30:46.335Z"}}], "cna": {"title": "Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass", "source": {"advisory": "GHSA-j687-52p2-xcff", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "withastro", "product": "astro", "versions": [{"status": "affected", "version": "< 6.1.6"}]}], "references": [{"url": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff", "name": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T16:57:22.940Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41067", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:16:55.536Z", "dateReserved": "2026-04-16T16:43:03.174Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T16:57:22.940Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:astro:astro:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F1E12104-0666-4579-82D6-3805F521F36A", "versionEndExcluding": "6.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6."}], "id": "CVE-2026-41067", "lastModified": "2026-04-27T13:41:42.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T17:16:21.083", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/withastro/astro/security/advisories/GHSA-j687-52p2-xcff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["node.js"], "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "astro", "source": "cna", "vendor": "withastro"}, "product": "astro", "vendor": "astro"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.1.6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "astro", "source": "cna", "vendor": "withastro"}, "product": "astro", "vendor": "withastro"}], "analysis": {"en": {"generated_at": "2026-04-28T06:01:46.568651+00:00", "value": {"mitigation_remediation": ["Upgrade Astro to version 6.1.6 or later to apply the patched sanitization logic.", "Ensure that any data fed into the define:vars directive originates from trusted sources or is sanitized to remove <script> close tags before rendering.", "Deploy a Content Security Policy that blocks inline scripts and restricts script execution to trusted origins as an additional defense while the patch is pending."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is withastro:astro, any installation running a version older than 6.1.6. The flaw exists in Astro\u2019s server\u2011side rendering pipeline, specifically the function that handles the define:vars directive. All Node.js environments that are serving Astro templates and have not upgraded past 6.1.6 remain vulnerable; this includes any web sites or applications that build or render pages with Astro and expose user\u2011controlled data to the define:vars directive.", "description_and_impact": "Astro\u2019s server\u2011side rendering code, before version 6.1.6, sanitized values that are inserted into inline <script> tags via the define:vars directive with a case\u2011sensitive regular expression. Web browsers treat the closing </script> tag case\u2011insensitively and also accept variations that contain whitespace or a slash before the closing greater\u2011than sign, such as </Script>, </script >, or </script/>. An attacker can take advantage of this mismatch to inject arbitrary JavaScript or HTML into the rendered page, leading to classic cross\u2011site scripting that can hijack user sessions, steal credentials, or modify page content. The vulnerability does not expose system internals or allow arbitrary OS command execution, but it permits arbitrary script execution in the victim\u2019s browser context, which is a high\u2011impact attack vector for web applications.", "risk_and_exploitability": "The CVSS score is 6.1, indicating a moderate severity. The EPSS score is less than 1%, showing a very low probability of exploitation, and the bug is not listed in CISA\u2019s KEV catalog. Exploitation requires that an attacker be able to supply data that Astro will inject into a <script> tag via define:vars, which usually means there is some user input or a configuration file that is rendered without proper validation. If such an input source exists, the attacker can inject the crafted closing tag variants and run arbitrary client\u2011side code; otherwise, the easily mitigable nature of the issue keeps the risk moderate."}}}}, "created": "2026-04-27T19:45:11.178982+00:00", "updated": "2026-04-28T06:15:24.136700+00:00", "vendors": ["astro", "astro$PRODUCT$astro", "withastro", "withastro$PRODUCT$astro"]}