CVE-2026-54298
Astro: XSS via Unescaped Attribute Names in Spread Props
CVSS Score
4.2
EPSS Score
0.0%
EPSS Percentile
0th
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.
| CWE | CWE-79 |
| Vendor | withastro |
| Product | astro |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for withastro astro
Be the first to know when new medium vulnerabilities affecting withastro astro are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
withastro / astro
< 6.4.6