Description
The defineScriptVars function in Astro’s server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <script> tags via the define:vars directive.
Recommendation
Update the astro package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.1.6
- Patched version(s): 6.1.6
References
Related Issues
- defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag - CVE-2026-30830
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) - CVE-2026-41321
You might also like:
- Tags:
- npm
- astro
Anything's wrong? Let us know Last updated on April 27, 2026