CVE-2026-54300
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A vulnerability in @astrojs/netlify prior to version 7.0.13 allows for improper matching of image patterns, potentially leading to unauthorized access to resources. Patterns using wildcards can match more paths and hosts than intended.
Risk Assessment
Organizations may be exposed to unauthorized access to images or resources, which could lead to data leaks or other security threats.
Recommendation
It is recommended to upgrade to version 7.0.13 or later to eliminate this vulnerability and secure the application against unauthorized access.
Original NVD description (English source)
@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as *.example.com is converted to an optional subdomain regex, so the apex host matches. A single wildcard pathname such as /ok/* is converted without end anchoring, so deeper paths match by prefix. This vulnerability is fixed in 7.0.13.

