CVE-2026-54298
published 2026-06-22CVE-2026-54298: Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.6th percentile
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| astro | astro | < 6.4.6 | 6.4.6 |
| astro | astro | >= 0 < 6.4.6 | 6.4.6 |
| withastro | astro | < 6.4.6 | 6.4.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
withastro up to 6.4.5 spreadAttributes cross site scripting
vuldb·2026-06-22·CVSS 6.1
CVE-2026-54298 [MEDIUM] withastro up to 6.4.5 spreadAttributes cross site scripting
A vulnerability was found in withastro astro up to 6.4.5. It has been classified as problematic. This issue affects the function spreadAttributes. Performing a manipulation results in cross site scripting.
This vulnerability was named CVE-2026-54298. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
Astro: XSS via Unescaped Attribute Names in Spread Props
ghsa·2026-06-16
CVE-2026-54298 [MEDIUM] CWE-79 Astro: XSS via Unescaped Attribute Names in Spread Props
Astro: XSS via Unescaped Attribute Names in Spread Props
## Summary
The `spreadAttributes` function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to `addAttribute`, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax `{...props}` on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like `onmousemove`, `onclick`, or break out of the attribute context entirely to inject new elements.
## Details
The vulnerable function is [`addAttribute`](https://github.com/withastro/astro/blob/main/packages/astro/src/runtime/server/render/util.ts#L81-L141) at `packages/astro/src/runtime/se
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-22
Published