` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass", "author": { "@type": "Organization", "@id": "https://askarlabs.com/#organization" }, "publisher": { "@id": "https://askarlabs.com/#organization" }, "mainEntityOfPage": { "@type": "WebPage", "@id": "https://askarlabs.com/cve/CVE-2026-41067/" }, "image": "https://askarlabs.com/images/logo.png", "articleSection": "Vulnerabilities", "description": "Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\\/script>/g to sanitize values injected into inline , , or and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.", "datePublished": "2026-04-24T16:57:22Z", "dateModified": "2026-04-24T18:16:55Z", "keywords": "CVE-2026-41067, vulnerability, CVE, security, astro, withastro", "about": { "@type": "SoftwareApplication", "name": "astro", "applicationCategory": "SecurityApplication", "operatingSystem": "All" } }
CVE-2026-41067 MEDIUM

CVE-2026-41067: Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Vendor Withastro
Product astro
Weakness CWE-79 · XSS
Published April 24, 2026
Last update April 24, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated