CVE-2026-33769
Astro: Remote allowlist bypass via unanchored matchPathname wildcardAstro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.
We have discovered 17,726 live websites that are affected by CVE-2026-33769.
Affected Software
| Product | |
| Category | Static Site Generator |
| Vulnerable Domains | 17,726 live websites (91% of Astro install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 312 versions ( 72% of all versions) |
Common Weakness Enumeration
CWE-20 Improper Input ValidationDetails
- Published - Mar 24, 2026
- Updated - Mar 24, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-33769 United States | 10,843 websites |
 Germany | 1,149 websites |
 GB | 523 websites |
 France | 475 websites |
 Japan | 387 websites |
 Spain | 249 websites |
 Canada | 245 websites |
 Poland | 242 websites |
 Netherlands | 235 websites |
 Australia | 202 websites |
Website Distribution by TLD
Number of websites using CVE-2026-33769| .com | 8,447 websites |
| .de | 687 websites |
| .org | 637 websites |
| .net | 611 websites |
| .co.uk | 367 websites |
| .fr | 302 websites |
| .io | 298 websites |
| .nl | 233 websites |
| .pl | 206 websites |
| .com.au | 193 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-33769
Top websites that are affected by CVE-2026-33769. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **.cn |  China | *** | |
| ************.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| ********.jp | Japan | *,*** | |
| *****.com | United States | *,*** | |
| ***********.com | United States | *,*** | |
| *******.io | United States | *,*** | |
| ******.com |  India | *,*** | |
| ****.com | United States | *,*** | |
| ***********.se | United States | *,*** |
FAQ
CVE-2026-33769 is Improper Input Validation in Astro
A total of 17,726 websites have been identified as vulnerable to CVE-2026-33769, based on global website indexing conducted by WebTechSurvey.
The Astro is affected by the CVE-2026-33769 vulnerability.
Astro versions up to 5.18.1 are vulnerable to CVE-2026-33769.
CVE-2026-33769 is resolved in version 5.18.1 of Astro.