CVE-2026-41067

Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.1.6

Description The defineScriptVars() function in the server-side rendering pipeline uses a case-sensitive regular expression to sanitize values injected into inline <script> tags via the define:vars directive. Because HTML parsers process closing script elements case-insensitively and allow whitespace or a forward slash before the closing bracket, the sanitization can be bypassed. An attacker can use payloads such as </Script>, </script >, or </script/> to prematurely close the script block and inject arbitrary HTML or JavaScript into the page.

Recommendations Update to version 6.1.6. As a temporary workaround, restrict the use of the define:vars directive when passing user-controlled input to <script> tags.