Security Advisories · withastro/astro · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Host header SSRF in prerendered error page fetch
GHSA-2pvr-wf23-7pc7 published Jun 12, 2026 by matthewp

High
XSS via Unescaped Attribute Names in Spread Props
GHSA-jrpj-wcv7-9fh9 published Jun 12, 2026 by matthewp

Moderate
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
GHSA-529g-xq4f-cw38 published Jun 12, 2026 by matthewp

Moderate
Reflected XSS via unescaped slot name
GHSA-8hv8-536x-4wqp published Jun 12, 2026 by matthewp

High
Server island encrypted parameters vulnerable to cross-component replay
GHSA-xr5h-phrj-8vxv published May 7, 2026 by matthewp

Low
Cache Poisoning due to incorrect error handling when if-match header is malformed
GHSA-c57f-mm3j-27q9 published Apr 20, 2026 by matthewp

Moderate
SSRF via redirect following in Cloudflare image-binding-transform endpoint (incomplete fix for GHSA-qpr4)
GHSA-88gm-j2wx-58h6 published Apr 20, 2026 by matthewp

Low
XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass
GHSA-j687-52p2-xcff published Apr 20, 2026 by matthewp

Moderate
Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
GHSA-mr6q-rp88-fx84 published Mar 24, 2026 by matthewp

Moderate
Memory exhaustion DoS due to missing request body size limit in Server Islands
GHSA-3rmj-9m5h-8fpv published Mar 24, 2026 by matthewp

Moderate

⚡