6 matches found
CVE-2026-50146
Astro is a web framework. Prior to 6.3.3, when a component uses a client: directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflect...
CVE-2026-50146 Astro: Reflected XSS via unescaped slot name
Astro is a web framework. Prior to 6.3.3, when a component uses a client: directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflect...
Cross-site Scripting (XSS)
Astro is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper HTML escaping of named slot content inserted into the data-astro-template attribute when using client: directives, which allows an attacker to break out of the attribute context and inject arbitrary HTML or...
Cross-site Scripting (XSS)
Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-astro-template attribute when a component uses a client: directive and the slot name is not...
Astro: Reflected XSS via unescaped slot name
Summary When a component uses a client: directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This is similar...
PT-2026-49731
Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.3.3 Description When a component utilizes a client: directive, the software inserts named slot content into a data-astro-template attribute without performing HTML escaping on the slot name. This allows an attacker to...