Skip to main content

Astro EUVDEUVD-2026-25632

| CVE-2026-41248 CRITICAL
Interpretation Conflict (CWE-436)
2026-04-24 GitHub_M GHSA-vqx2-fgx2-5wq9
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 29, 2026 - 20:56 nvd
Patch available
Patch available
Apr 24, 2026 - 23:02 EUVD
EUVD ID Assigned
Apr 24, 2026 - 21:15 euvd
EUVD-2026-25632
CVE Published
Apr 24, 2026 - 21:04 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Analysis

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

More in Astro

View all
CVE-2018-7180 CRITICAL POC
9.8 Feb 17

SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla!. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2024-56159 HIGH POC
7.8 Dec 19

Astro is a web framework for content-driven websites. Rated high severity (CVSS 7.8), this vulnerability is remotely exp

CVE-2025-64764 HIGH POC
7.1 Nov 19

Astro is a web framework. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication

CVE-2025-55303 MEDIUM POC
6.9 Aug 19

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.9), this vulnerability is remotely e

CVE-2025-64525 MEDIUM POC
6.5 Nov 13

Astro is a web framework. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenticatio

CVE-2025-54793 MEDIUM POC
5.5 Aug 08

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 5.5), this vulnerability is remotely e

CVE-2026-59731 HIGH
8.2 Jul 08

Authorization bypass in the Astro web framework version 6.4.7 lets remote unauthenticated attackers reach protected rout

CVE-2023-50249 HIGH
7.5 Dec 20

Sentry-Javascript is official Sentry SDKs for JavaScript. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33768 MEDIUM
6.5 Mar 24

The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vuln

CVE-2024-56140 MEDIUM
6.5 Dec 18

Astro is a web framework for content-driven websites. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2026-29772 MEDIUM
5.9 Mar 24

Astro web framework versions prior to 10.0.0 contain an unbounded JSON parsing vulnerability in the Server Islands POST

CVE-2024-47885 MEDIUM
5.4 Oct 14

The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to ver

Share

EUVD-2026-25632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy