astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind.

Affected versions of this package are vulnerable to Use of Non-Canonical URL Paths for Authorization Decisions due to improper URL decoding logic. The pathname validation used for protecting routes decodes the request path only once, allowing double-encoded sequences to bypass path-based authentication checks. An attacker can exploit this by submitting double-encoded URLs to access protected routes such as /admin or /api/internal, enabling unauthorized access to restricted functionality.

Note: There has been an attempt to fix this vulnerability in version 5.15.8 following CVE-2025-64765, but the fix is insufficient.

nicegui is a Create web-based user interfaces with Python. The nice way.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ui.add_css, ui.add_scss, and ui.add_sass functions. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting specially crafted input that breaks out of the intended style or script tags.

Affected versions of this package are vulnerable to Race Condition due to concurrent requests using the ApiClient class. An attacker can manipulate response status codes or headers between concurrent requests by exploiting shared state in multithreaded environments.

Note: This is only exploitable if a multithreaded application uses the ApiClient class and relies on response status codes in access control flows.