CVE Catalog

CVE-2026-50146

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

Astro is a web framework that prior to version 6.3.3 had a vulnerability where components using the client:* directive inserted slot content into a data-astro-template attribute without proper escaping, allowing an attacker to inject arbitrary HTML and leading to reflected XSS during SSR.

Risk Assessment

This vulnerability poses a risk of injecting malicious HTML, which could lead to user data theft or session hijacking. Organizations should be aware of potential XSS attacks that could affect their web applications.

Recommendation

It is recommended to upgrade to version 6.3.3 or later to mitigate this vulnerability. Additionally, conducting a security audit of the application to identify other potential vulnerabilities is advisable.

Original NVD description (English source)

Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This vulnerability is fixed in 6.3.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS