threat
engine
.sh
Back
·
··:··
Home
/
Product
/
astro
Product
astro
25 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-45028
< 6.1.10
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of s
6.1
MEDIUM
CVE-2026-41067
< 6.1.6
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sens
6.1
MEDIUM
CVE-2026-33769
>= 2.10.10 and < 5.18.1
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforceme
5.3
MEDIUM
CVE-2026-33768
< 10.0.2
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_a
6.5
MEDIUM
CVE-2026-29772
>= 9.0.0 and < 10.0.0
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as
5.9
MEDIUM
CVE-2026-27829
>= 9.0.0 and < 9.5.4
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing
image.domains
/ `ima
6.5
MEDIUM
CVE-2026-27729
>= 9.0.0 and < 9.5.4
Astro is a web framework. In versions 9.0.0 through 9.5.3, Astro server actions have no default request body size limit, which can
5.9
MEDIUM
CVE-2026-25545
< 9.5.4
Astro is a web framework. Prior to version 9.5.4, Server-Side Rendered pages that return an error with a prerendered custom error
8.6
HIGH
CVE-2025-66202
< 5.15.8
Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to
6.5
MEDIUM
CVE-2025-65019
< 5.15.9
Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'serve
5.4
MEDIUM
CVE-2025-64765
< 5.15.8
Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/render
5.3
MEDIUM
CVE-2025-64764
< 5.15.8
Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is use
7.1
HIGH
CVE-2025-64757
< 5.14.3
Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server
3.5
LOW
CVE-2025-64745
>= 5.2.0 and < 5.15.6
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerabil
2.7
LOW
CVE-2025-64525
>= 2.16.0 and < 5.15.5
Astro is a web framework. In Astro versions 2.16.0 up to but excluding 5.15.5 which utilizeon-demand rendering, request headers `x
6.5
MEDIUM
CVE-2025-59837
>= 5.13.4 and < 5.13.10
Astro is a web framework that includes an image proxy. In versions 5.13.4 and later before 5.13.10, the image proxy domain validat
7.2
HIGH
CVE-2025-61925
< 5.14.2
Astro is a web framework. Prior to version 5.14.2, Astro reflects the value in
X-Forwarded-Host
in output when using
Astro.url
6.5
MEDIUM
CVE-2025-58179
>= 11.0.3 and < 12.6.6
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Clo
7.2
HIGH
CVE-2025-55303
< 4.16.18
Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpo
6.1
MEDIUM
CVE-2025-54793
>= 5.2.0 and < 5.12.7
Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in
6.1
MEDIUM
CVE-2024-56159
< 4.16.18
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of
5.3
MEDIUM
CVE-2024-56140
< 4.16.17
Astro is a web framework for content-driven websites. In affected versions a bug in Astro’s CSRF-protection middleware allows re
5.9
MEDIUM
CVE-2024-47885
>= 3.0.0 and < 4.16.1
The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.
5.9
MEDIUM
CVE-2023-50249
>= 7.78.0 and < 7.87.0
Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been id
7.5
HIGH
CVE-2018-7180
all versions
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.
9.8
CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin