Back to overview

CVE-2026-59731

HIGH Exploitation: PoC
8.2
CVSS 3.1
Description
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.

Metadata

CVE ID
CVE-2026-59731
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-06 15:34 UTC
Published
2026-07-08 16:27 UTC
Last updated
2026-07-09 14:38 UTC
Primary CWE
CWE-647
CWE-647: Use of Non-Canonical URL Paths for Authorization De…
Vendor / Product
withastro / astro
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
withastro astro >= 6.4.7, < 6.4.8
Weakness (CWE)
CWESourceDescription
CWE-647 cna CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
References (4)
Back to overview