cbcvebase.
CVE-2026-41067
published 2026-04-24

CVE-2026-41067: Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize…

PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.19%
8.7th percentile
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like , , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.

Affected

3 ranges
VendorProductVersion rangeFixed in
astroastro< 6.1.66.1.6
astroastro>= 0 < 6.1.66.1.6
withastroastro< 6.1.66.1.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.