Vulnerable Library - astro-5.18.1.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz
Path to dependency file: /tutorials/video-javascript-multiparty/package.json
Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (astro version) |
Remediation Possible** |
| CVE-2026-41305 |
 Medium |
6.1 |
postcss-8.5.6.tgz |
Transitive |
6.0.0 |
✅ |
| CVE-2026-41067 |
Medium |
6.1 |
astro-5.18.1.tgz |
Direct |
6.1.6 |
✅ |
| CVE-2026-45028 |
Medium |
5.3 |
astro-5.18.1.tgz |
Direct |
N/A |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41305
Vulnerable Library - postcss-8.5.6.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz
Path to dependency file: /sources/voice-javascript-workshop/package.json
Path to vulnerable library: /sources/voice-javascript-workshop/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/video-javascript-one_to_one/package.json,/toolbar-app/package.json,/tutorials/verify-backend/package.json,/tutorials/voice-javascript-workshop/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/tutorials/video-javascript-signaling/package.json,/tutorials/voice-node-app_to_app/package.json,/tutorials/webxr-javascript-workshop/package.json,/sources/webxr-javascript-workshop/package.json,/tutorials/video-javascript-debugging/package.json,/sources/video_learning_server-node-deploy/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/sources/video-javascript-one_to_one/package.json,/sources/video-javascript-signaling/package.json,/tutorials/video_learning_server-node-deploy/package.json,/tutorials/video-javascript-multiparty/package.json,/tutorials/package.json
Dependency Hierarchy:
- astro-5.18.1.tgz (Root Library)
- vite-6.4.2.tgz
- ❌ postcss-8.5.6.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41305
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qx2v-qp2m-jg93
Release Date: 2026-04-24
Fix Resolution (postcss): 8.5.10
Direct dependency fix Resolution (astro): 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-41067
Vulnerable Library - astro-5.18.1.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz
Path to dependency file: /tutorials/video-javascript-multiparty/package.json
Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json
Dependency Hierarchy:
- ❌ astro-5.18.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /</script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-04-24
URL: CVE-2026-41067
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-j687-52p2-xcff
Release Date: 2026-04-24
Fix Resolution: 6.1.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-45028
Vulnerable Library - astro-5.18.1.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz
Path to dependency file: /tutorials/video-javascript-multiparty/package.json
Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json
Dependency Hierarchy:
- ❌ astro-5.18.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Impact Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props ("p") value as another component's slots ("s") value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications that meet all of the following conditions: - The application uses server islands - Two different server island components share the same key name for a prop and a slot - An attacker has full control over the value of the overlapping prop (requires a dynamically rendered page) These conditions are very unlikely to occur in real-world production applications. Patches This has been patched in astro@6.1.10. The fix binds each encrypted parameter to its target component and purpose using AES-GCM authenticated additional data (AAD). Each ciphertext now includes context like "props:IslandName" or "slots:IslandName", so encrypted data for one component cannot be replayed against a different component, and encrypted props cannot be reused as slots. References - Fix PR: withastro/astro#16457 - Example demonstrating the vulnerability: https://github.com/CyberSecurityAustria/ACSC2026-web-astronomical
Publish Date: 2026-05-13
URL: CVE-2026-45028
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
⛑️Automatic Remediation will be attempted for this issue.
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz
Path to dependency file: /tutorials/video-javascript-multiparty/package.json
Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - postcss-8.5.6.tgz
Tool for transforming styles with JS plugins
Library home page: https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz
Path to dependency file: /sources/voice-javascript-workshop/package.json
Path to vulnerable library: /sources/voice-javascript-workshop/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/video-javascript-one_to_one/package.json,/toolbar-app/package.json,/tutorials/verify-backend/package.json,/tutorials/voice-javascript-workshop/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/tutorials/video-javascript-signaling/package.json,/tutorials/voice-node-app_to_app/package.json,/tutorials/webxr-javascript-workshop/package.json,/sources/webxr-javascript-workshop/package.json,/tutorials/video-javascript-debugging/package.json,/sources/video_learning_server-node-deploy/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/sources/video-javascript-one_to_one/package.json,/sources/video-javascript-signaling/package.json,/tutorials/video_learning_server-node-deploy/package.json,/tutorials/video-javascript-multiparty/package.json,/tutorials/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape "</style>" sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML "<style>" tags, "</style>" in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Publish Date: 2026-04-24
URL: CVE-2026-41305
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qx2v-qp2m-jg93
Release Date: 2026-04-24
Fix Resolution (postcss): 8.5.10
Direct dependency fix Resolution (astro): 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - astro-5.18.1.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz
Path to dependency file: /tutorials/video-javascript-multiparty/package.json
Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /</script>/g to sanitize values injected into inline <script> tags via the define:vars directive. HTML parsers close <script> elements case-insensitively and also accept whitespace or / before the closing >, allowing an attacker to bypass the sanitization with payloads like </Script>, </script >, or </script/> and inject arbitrary HTML/JavaScript. This vulnerability is fixed in 6.1.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-04-24
URL: CVE-2026-41067
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j687-52p2-xcff
Release Date: 2026-04-24
Fix Resolution: 6.1.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - astro-5.18.1.tgz
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
Library home page: https://registry.npmjs.org/astro/-/astro-5.18.1.tgz
Path to dependency file: /tutorials/video-javascript-multiparty/package.json
Path to vulnerable library: /tutorials/video-javascript-multiparty/package.json,/sources/webxr-javascript-workshop/package.json,/sources/video_learning_server-node-deploy/package.json,/tutorials/video_learning_server-node-deploy/package.json,/toolbar-app/package.json,/tutorials/video-javascript-one_to_one/package.json,/tutorials/verify-backend/package.json,/tutorials/video-javascript-debugging/package.json,/tutorials/package.json,/tutorials/voice-node-app_to_app/package.json,/sources/video-javascript-signaling/package.json,/sources/video-javascript-multiparty/package.json,/tutorials/voice-javascript-workshop/package.json,/sources/video-javascript-one_to_one/package.json,/tutorials/video-javascript-signaling/package.json,/sources/video-javascript-multiparty_archiving/package.json,/sources/video-javascript-debugging/package.json,/tutorials/video-javascript-multiparty_archiving/package.json,/sources/voice-javascript-workshop/package.json,/tutorials/webxr-javascript-workshop/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Impact Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props ("p") value as another component's slots ("s") value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications that meet all of the following conditions: - The application uses server islands - Two different server island components share the same key name for a prop and a slot - An attacker has full control over the value of the overlapping prop (requires a dynamically rendered page) These conditions are very unlikely to occur in real-world production applications. Patches This has been patched in astro@6.1.10. The fix binds each encrypted parameter to its target component and purpose using AES-GCM authenticated additional data (AAD). Each ciphertext now includes context like "props:IslandName" or "slots:IslandName", so encrypted data for one component cannot be replayed against a different component, and encrypted props cannot be reused as slots. References - Fix PR: withastro/astro#16457 - Example demonstrating the vulnerability: https://github.com/CyberSecurityAustria/ACSC2026-web-astronomical
Publish Date: 2026-05-13
URL: CVE-2026-45028
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.⛑️Automatic Remediation will be attempted for this issue.