Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| withastro | astro | affected |
|
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
No data.
Project Subscriptions
No data.
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-8hv8-536x-4wqp | Astro: Reflected XSS via unescaped slot name |
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Mon, 22 Jun 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This vulnerability is fixed in 6.3.3. | |
| Title | Astro: Reflected XSS via unescaped slot name | |
| Weaknesses | CWE-80 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-22T17:31:56.313Z
Reserved: 2026-06-03T18:49:32.276Z
Link: CVE-2026-50146
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-22T19:30:06Z