此页面尚未翻译为您的语言。我们正在努力翻译，目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-45028

CVE-2026-45028: XSS in Astro Server Islands

Q: What is CVE-2026-45028 — XSS in Astro Server Islands?

CVE-2026-45028 is a cross-site scripting (XSS) vulnerability in Astro versions up to 6.1.10. It allows attackers to potentially inject malicious scripts by exploiting a flaw in how server island props and slots are encrypted.

Q: Am I affected by CVE-2026-45028 in Astro?

You are affected if you are using Astro version 6.1.10 or earlier and your application utilizes server islands with both props and slots, especially if you have multiple server islands interacting.

Q: How do I fix CVE-2026-45028 in Astro?

Upgrade to Astro version 6.1.11 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement strict input validation and output encoding on data used in server islands.

Q: Is CVE-2026-45028 being actively exploited?

As of now, there is no public evidence of CVE-2026-45028 being actively exploited in the wild. However, it's crucial to apply the fix to prevent potential future exploitation.

Q: Where can I find the official Astro advisory for CVE-2026-45028?

Refer to the official Astro security advisory for CVE-2026-45028 on the Astro website or GitHub repository for the most up-to-date information and guidance.

翻译中…

平台

nodejs

组件

astro

修复版本

6.1.10

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-45028 affects Astro versions up to 6.1.10. This vulnerability allows an attacker to potentially inject malicious scripts via cross-site scripting (XSS) by exploiting a flaw in how server island props and slots parameters are encrypted. The vulnerability requires specific conditions to be met, including the use of server islands and two distinct islands within the application. A fix is available in version 6.1.11.

影响与攻击场景翻译中…

The core of this vulnerability lies in Astro's server islands feature and the AES-GCM encryption used to protect props and slots. Astro failed to properly bind the ciphertext to its intended component or parameter type. This means an attacker can intercept and replay an encrypted props value (p) as a slots value (s), or vice versa. Since slots contain raw, unescaped HTML, while props might contain user-controlled data, this replay attack can lead to XSS. Successful exploitation hinges on the application utilizing server islands and having at least two different server islands involved. The potential impact is the execution of arbitrary JavaScript in the user's browser, leading to data theft, session hijacking, or defacement of the application.

利用背景翻译中…

CVE-2026-45028 was published on May 13, 2026. There is currently no indication that this vulnerability is being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's description suggests it is potentially exploitable with moderate effort.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

EPSS

0.02% (7% 百分位)

CISA SSVC

利用情况none

可自动化yes

技术影响partial

受影响的软件

组件astro

供应商withastro

最低版本6.1.0

最高版本< 6.1.10

修复版本6.1.10

弱点分类 (CWE)

CWE-323

时间线

已保留2026-05-08
发布日期2026-05-13
修改日期2026-05-14
EPSS 更新日期2026-05-15

缓解措施和替代方案翻译中…

The primary mitigation is to upgrade to Astro version 6.1.11 or later, which addresses the ciphertext binding issue. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all data passed to server islands, particularly within slots. While not a complete solution, this can reduce the attack surface. Additionally, review your Astro application's architecture to minimize the use of server islands where possible. There are no specific WAF rules or detection signatures readily available for this particular vulnerability, as it's a logic flaw rather than a direct exploit pattern. After upgrading, confirm the fix by testing the application with scenarios that previously triggered the vulnerability, ensuring props and slots are handled securely.

修复方法翻译中…

Actualice a la versión 6.1.10 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al vincular correctamente los ciphertexts a sus componentes y parámetros de destino, previniendo así la posibilidad de replay attacks y la consecuente inyección de código XSS.

常见问题翻译中…

What is CVE-2026-45028 — XSS in Astro Server Islands?

CVE-2026-45028 is a cross-site scripting (XSS) vulnerability in Astro versions up to 6.1.10. It allows attackers to potentially inject malicious scripts by exploiting a flaw in how server island props and slots are encrypted.

Am I affected by CVE-2026-45028 in Astro?

You are affected if you are using Astro version 6.1.10 or earlier and your application utilizes server islands with both props and slots, especially if you have multiple server islands interacting.

How do I fix CVE-2026-45028 in Astro?

Upgrade to Astro version 6.1.11 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement strict input validation and output encoding on data used in server islands.

Is CVE-2026-45028 being actively exploited?

As of now, there is no public evidence of CVE-2026-45028 being actively exploited in the wild. However, it's crucial to apply the fix to prevent potential future exploitation.

Where can I find the official Astro advisory for CVE-2026-45028?

Refer to the official Astro security advisory for CVE-2026-45028 on the Astro website or GitHub repository for the most up-to-date information and guidance.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE

live免费扫描

立即试用 — 无需账户

上传任意清单文件（composer.lock、package-lock.json、WordPress插件列表等）或粘贴组件列表，即可立即获得漏洞报告。上传文件只是开始：注册账号后，您将获得持续监控、Slack/邮件提醒、多项目管理和白标报告等功能。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

浏览文件