CVE-2026-30118 describes a critical unauthenticated server-side request forgery (SSRF) issue in scalar/astro v0.1.13, centered on the Scalar Proxy endpoint’s scalar_url query parameter. An attacker can cause the backend to issue HTTP requests to attacker-controlled destinations, which may expose authentication cookies and headers and could support privilege escalation if sensitive requests are proxied.
CVE-2026-30117 is a critical vulnerability published on 2026-05-19 and modified on 2026-05-20. The supplied description says scalar/astro v0.1.13 contains an arbitrary file upload flaw in the Scalar Proxy endpoint’s scalar_url query parameter, and that a crafted SVG upload can be used to execute arbitrary code. Based on the provided CVSS vector, the issue is network-reachable, requires no privileges or us [truncated]
