CVE-2026-59731
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after r
CVSS
8.2
Alto
EPSS
0.3%
p19
KEV
—
Exploit Today
6
0-100
Publicado: 8 jul 2026 · Última mod.: 9 jul 2026 · CWE-647
0.3%EPSS · 30 días0.3%
2026-07-092026-07-17
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI() operation and can resolve the request to a protected route. This issue is fixed in version 6.4.8.
- github.comhttps://github.com/withastro/astro/commit/27c80ea92248993e5fce94b2c26d87d611ab6785
- github.comhttps://github.com/withastro/astro/pull/17109
- github.comhttps://github.com/withastro/astro/releases/tag/astro@6.4.8
- github.comhttps://github.com/withastro/astro/security/advisories/GHSA-vj59-8hwv-xxmv
- github.comhttps://github.com/withastro/astro/security/advisories/GHSA-vj59-8hwv-xxmv
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-626858.1 ALT24.4%
——7File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser builds new user scopes from usernames passed through cleanUsername() when Signup=true and CreateUserDir=true, but the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory without checking whether the resulting scope is already taken, allowing a second registrant to gain full read and write access to another user's files. This issue is fixed in version 2.63.17.2dCVE-2026-83845.3 MED9.7%
——3In Eclipse Jetty, an HTTP URI of this form:
/public;/../admin/secret.txt
results in an unresolved path of:
/public/../admin/secret.txt
instead of the expected:
/admin/secret.txt
Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).
However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.3d