CVE-2026-45028

LOW EPSS 4.0%
Published May 13, 20261mo ago · Modified Jun 17, 20262w ago
2.9 CVSS 4.0
Low
Find Similar
Published May 13, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.

CVSS Details

Base Score
2.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
4.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-323
CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
astroastro* <6.1.10

References 3

  • github.com https://github.com/withastro/astro/commit/3d82220a1549e699e34ed433f3846a919f4c02bd
    Patch
  • github.com https://github.com/withastro/astro/pull/16457
    Issue TrackingPatch
  • github.com https://github.com/withastro/astro/security/advisories/GHSA-xr5h-phrj-8vxv
    Vendor Advisory

Remediation

  • github.com https://github.com/withastro/astro/commit/3d82220a1549e699e34ed433f3846a919f4c02bd
    Patch
  • github.com https://github.com/withastro/astro/pull/16457
    Issue TrackingPatch