cbcvebase.
CVE-2026-41322
published 2026-04-24

CVE-2026-41322: @astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an…

PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.24%
14.7th percentile
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all subsequent requests to that file, regardless of if-match header will be served a 5xx error instead of the file until the cache expires. This vulnerability is fixed in 10.0.5.

Affected

2 ranges
VendorProductVersion rangeFixed in
astrojsnode>= 0 < 10.0.510.0.5
withastroastro< 10.0.510.0.5
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.