CVE-2026-50146
is CVE-2026-50146real, exploitable, or a false positive? Here's the community verdict.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Astro is a web framework. Prior to 6.3.3, when a component uses a client:* directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This vulnerability is fixed in 6.3.3.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2026-50146)<a href="https://www.truepositive.app/cve/CVE-2026-50146"><img src="https://www.truepositive.app/cve/CVE-2026-50146/badge.svg" alt="TruePositive verdict for CVE-2026-50146"></a>Live badge that updates automatically as the community verdict changes.
Community ground truth
In your experience, is this finding real and exploitable?
0 verdictsNo account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.
Field notes & remediation
Verdicts are the quick signal. Notes are the evidence and fixes behind them.
No notes yet. Be the first to share what you saw, or a fix that worked.
Add a field note or remediationoptional
Related CVEs
Same weakness: CWE-80.
- CVE-2025-71331CVSS 6.1EPSS 0%
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe src="javascript:alert(document.cookie)">) in a chat box, or by having a custom agent function return an XSS payload from an external website. The injected script executes in the victim's browser, enabling theft of cookies and session data.
- CVE-2025-62198CVSS 5.4EPSS 0%
An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue.