Security Flaw in Astro Web Framework Affects Rendering Integrity
CVE-2026-54298

4.2MEDIUM

Key Information:

Vendor: Withastro
Status: Astro
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54298?

The Astro web framework has a vulnerability in its server-side rendering pipeline, specifically in the spreadAttributes function. This function directly iterates over object keys that can be supplied from untrusted sources, such as APIs or user input. The lack of proper escaping allows an attacker to inject arbitrary HTML attributes, including event handlers like onclick or onmousemove. This can lead to serious security risks as it allows attackers to manipulate the DOM, potentially executing malicious scripts. The issue has been resolved in versions 6.4.6 and later.

Affected Version(s)

astro < 6.4.6

References

https://github.com/withastro/astro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54298 Data

JSON

Withastro

What is CVE-2026-54298?

Affected Version(s)

References

CVSS V3.1

Timeline