CVE-2026-45028

Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.1.10

Description AES-GCM encryption used to protect the confidentiality and integrity of server island props and slots parameters did not bind the ciphertext to its intended component or parameter type. This allows an attacker to replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Because slots contain raw unescaped HTML while props may contain user-controlled values, this can lead to Cross-Site Scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. This issue occurs when an application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop on a dynamically rendered page.

Recommendations Update to version 6.1.10.