Skip to content
` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass","description":"CVE ID :CVE-2026-41067\n \nPublished : April 24, 2026, 5:16 p.m. | 40 minutes ago\n \nDescription :Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the def","url":"https://troiamedia.com/events/992adeaf-da92-4010-8f34-73846c82fc42","datePublished":"2026-04-24T17:16:21+00:00","dateModified":"2026-04-24T18:21:32.925962+00:00","image":["https://troiamedia.com/opengraph-image"],"mainEntityOfPage":{"@type":"WebPage","@id":"https://troiamedia.com/events/992adeaf-da92-4010-8f34-73846c82fc42"},"author":{"@type":"Person","name":"TroiaMedia Intelligence Desk","url":"https://troiamedia.com/about"},"publisher":{"@type":"Organization","name":"TroiaMedia","url":"https://troiamedia.com","logo":{"@type":"ImageObject","url":"https://troiamedia.com/icons/icon-512.svg","width":512,"height":512}},"articleSection":"cyber","keywords":"cyber, global, medium, OSINT, real-time","isAccessibleForFree":true}` sanit","item":"https://troiamedia.com/events/992adeaf-da92-4010-8f34-73846c82fc42"}]}` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass","description":"CVE ID :CVE-2026-41067\n \nPublished : April 24, 2026, 5:16 p.m. | 40 minutes ago\n \nDescription :Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the def","startDate":"2026-04-24T17:16:21+00:00","eventStatus":"https://schema.org/EventScheduled","url":"https://troiamedia.com/events/992adeaf-da92-4010-8f34-73846c82fc42","organizer":{"@type":"Organization","name":"TroiaMedia","url":"https://troiamedia.com","logo":{"@type":"ImageObject","url":"https://troiamedia.com/icons/icon-512.svg","width":512,"height":512}}}
cyberMEDIUM2026-04-24 17:16 UTC

CVE-2026-41067 - Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

CVE ID :CVE-2026-41067 Published : April 24, 2026, 5:16 p.m. | 40 minutes ago Description :Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the def

ORIGINAL SOURCE →via CVE Feed Latest
ADVERTISEMENT
⚡ STAY AHEAD

Events like this, convergence-verified across 689 sources, land in your inbox every Sunday. Free.

GET THE SUNDAY BRIEFING →

RELATED · cyber

Editorial policy · Report a correction