CVE-2026-41067 - Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass
CVE ID :CVE-2026-41067
Published : April 24, 2026, 5:16 p.m. | 57 minutes ago
Description :Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline , , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : April 24, 2026, 5:16 p.m. | 57 minutes ago
Description :Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline , , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...