CVE-2026-50146
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Astro is a web framework that prior to version 6.3.3 had a vulnerability where components using the client:* directive inserted slot content into a data-astro-template attribute without proper escaping, allowing an attacker to inject arbitrary HTML and leading to reflected XSS during SSR.
Risk Assessment
This vulnerability poses a risk of injecting malicious HTML, which could lead to user data theft or session hijacking. Organizations should be aware of potential XSS attacks that could affect their web applications.
Recommendation
It is recommended to upgrade to version 6.3.3 or later to mitigate this vulnerability. Additionally, conducting a security audit of the application to identify other potential vulnerabilities is advisable.
Original NVD description (English source)
Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This vulnerability is fixed in 6.3.3.

