HomeCVE Intelligence › CVE-2026-50146
CVSS 7.1 HIGH Vulnerability

CVE-2026-50146: Astro: Reflected XSS via unescaped slot name

Summary When a component uses a client:directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and…

7.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-50146
Vendornpm
Affected Productastro
Vulnerability TypeVulnerability
CVSS Score7.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary When a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.

Vulnerable Code packages/astro/src/runtime/server/render/component.ts:371:376 ``ts

// component.ts:371 ${children[key]} ` I found that key is interpolated directly into the attribute value without proper escaping.

Proof of Concept For the PoC, I set up with a minimal repository with Astro 6.3.1, Node.js: v26.0.0. astro.config.mjs

``js import react from '@astrojs/react'; import node from '@astrojs/node';

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-50146 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence