CVE-2026-50146: Astro: Reflected XSS via unescaped slot name

June 16, 2026

When a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.

This is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.

References

github.com/advisories/GHSA-8hv8-536x-4wqp
github.com/withastro/astro/security/advisories/GHSA-8hv8-536x-4wqp
nvd.nist.gov/vuln/detail/CVE-2026-50146

Code Behaviors & Features

Detect and mitigate CVE-2026-50146 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →