CVE-2026-59731
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after r
CVSS
8.2
High
EPSS
0.3%
p19
KEV
—
Exploit Today
6
0-100
Published: Jul 8, 2026 · Last modified: Jul 9, 2026 · CWE-647
0.3%EPSS · 30 days0.3%
2026-07-092026-07-17
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.
- github.comhttps://github.com/withastro/astro/commit/27c80ea92248993e5fce94b2c26d87d611ab6785
- github.comhttps://github.com/withastro/astro/pull/17109
- github.comhttps://github.com/withastro/astro/releases/tag/astro@6.4.8
- github.comhttps://github.com/withastro/astro/security/advisories/GHSA-vj59-8hwv-xxmv
- github.comhttps://github.com/withastro/astro/security/advisories/GHSA-vj59-8hwv-xxmv
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-626858.1 HIG24.4%
——7File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.2dCVE-2026-83845.3 MED9.7%
——3In Eclipse Jetty, an HTTP URI of this form:
/public;/../admin/secret.txt
results in an unresolved path of:
/public/../admin/secret.txt
instead of the expected:
/admin/secret.txt
Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).
However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.3d