CVE-2026-33769 — MEDIUM (5.3)

Q: How severe is CVE-2026-33769?

CVE-2026-33769 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-33769?

Check the references section above for vendor advisories and patch information. Affected products include: Astro Astro.

Vulnerability Description

Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Astro	Astro	>= 2.10.10, < 5.18.1

Related Weaknesses (CWE)

CWE-20

References

https://github.com/withastro/astro/security/advisories/GHSA-g735-7g2w-hh3fExploitVendor Advisory

FAQ

What is CVE-2026-33769?

CVE-2026-33769 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image opti...

How severe is CVE-2026-33769?

CVE-2026-33769 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33769?

Check the references section above for vendor advisories and patch information. Affected products include: Astro Astro.