CVE-2026-54298 | Astro is a web framework. Prior to 6.4.6, the spreadAttribut… | CVSS 4.2 MEDIUM

Description

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax {...props} on an HTML element and the object keys come from an untrusted source (API, CMS, URL parameters), an attacker can inject arbitrary HTML attributes including event handlers like onmousemove, onclick, or break out of the attribute context entirely to inject new elements. This vulnerability is fixed in 6.4.6.

Metadata

CVE ID: CVE-2026-54298
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:46 UTC
Published: 2026-06-22 17:33 UTC
Last updated: 2026-06-22 17:33 UTC
Primary CWE: CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product: withastro / astro
Sources: cve.org · NVD

Severity & Metrics

4.2 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
withastro	astro	—	< 6.4.6

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.2	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References (1)

https://github.com/withastro/astro/security/advisories/GHSA-jrpj-wcv7-9fh9 https://github.com/withastro/astro/security/advisories/GHSA-jrpj-wcv7-9fh9