CVE-2026-33769

Exploit

EPSS 0.09%
Veröffentlicht 24.03.2026 18:44:29
Zuletzt bearbeitet 26.03.2026 12:04:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Astro ≫ Astro SwPlatformnode.js Version >= 2.10.10 < 5.18.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.252

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	2.9	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3f

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-33769

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33769

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33769

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33769