VDB
CVE-2026-33768
CVE-2026-33768
PUBLISHED
CVSS 6.5 MEDIUM
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
EPSS 0.05% · 16.0th percentile
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.05%
16.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| withastro | astro | < 10.0.2, < 10.0.2, * |
| astrojs | vercel | 0, 0, 0 |
| astro | \@astrojs\/vercel | 0, 0, 0 |
Exploit Intelligence
- CIRCL published-proof-of-concept: CVE-2026-33768 (circl-sighting)
- https://github.com/withastro/astro/security/advisories/GHSA-mr6q-rp88-fx84 (nist-nvd)
- https://github.com/withastro/astro/pull/15959 (circl)
- https://github.com/withastro/astro/commit/335a204161f5a7293c128db570901d4f8639c6ed (circl)
- https://github.com/withastro/astro/releases/tag/%40astrojs%2Fvercel%4010.0.2 (circl)
- csi_rules.yara (github-yara)
- csi_rules.yara (github-yara)
- csi_rules.yara (github-yara)
- csi_rules.yara (github-yara)
- csi_rules.yara (github-yara)
…and 2 more exploits
Timeline
- Jun 28, 2021 PoC Published
- Mar 24, 2026 PoC Published
- Mar 24, 2026 CVE Published
- Mar 24, 2026 CVE Updated
- Mar 25, 2026 EPSS Score
- Mar 25, 2026 Coalition ESS Score
- Mar 27, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
References
- https://github.com/withastro/astro/security/advisories/GHSA-mr6q-rp88-fx84 url
- https://github.com/withastro/astro/pull/15959 url
- https://github.com/withastro/astro/commit/335a204161f5a7293c128db570901d4f8639c6ed url
- https://github.com/withastro/astro/releases/tag/%40astrojs%2Fvercel%4010.0.2 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-33768 advisory
- https://github.com/advisories/GHSA-f82v-jwr5-mffw advisory
- https://github.com/withastro/astro package
- https://github.com/withastro/astro/releases/tag/@astrojs/vercel@10.0.2 url