Search
Find a vulnerability
Search criteria
49 vulnerabilities by nuxt
CVE-2026-56301 (GCVE-0-2026-56301)
Vulnerability from cvelistv5 – Published: 2026-06-23 12:13 – Updated: 2026-06-23 14:34
VLAI
Title
Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux
Summary
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | vendor-advisory |
| https://github.com/nuxt/nuxt/commit/1f9f4767a8725… | patch |
| https://github.com/nuxt/nuxt/commit/c293bf9503ccb… | patch |
| https://www.vulncheck.com/advisories/nuxt-arbitra… | third-party-advisory |
Impacted products
Date Public
2026-06-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:34:12.684151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T14:34:24.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.4.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "3.18.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.21.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "4.4.7",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "3.21.7",
"versionStartIncluding": "3.18.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "alcls01111"
}
],
"datePublic": "2026-06-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:13:02.034Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-534h-c3cw-v3h9)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-534h-c3cw-v3h9"
},
{
"name": "https://github.com/nuxt/nuxt/commit/1f9f4767a8725104da9bee872bb8d35246f25ae5",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/1f9f4767a8725104da9bee872bb8d35246f25ae5"
},
{
"name": "https://github.com/nuxt/nuxt/commit/c293bf9503ccb3bc9559bff4a1f592f99063c9ea",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/c293bf9503ccb3bc9559bff4a1f592f99063c9ea"
},
{
"name": "VulnCheck Advisory: Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nuxt-arbitrary-file-read-via-world-connectable-vite-node-ipc-socket-on-linux"
}
],
"title": "Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56301",
"datePublished": "2026-06-23T12:13:02.034Z",
"dateReserved": "2026-06-20T12:49:17.830Z",
"dateUpdated": "2026-06-23T14:34:24.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56698 (GCVE-0-2026-56698)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:04 – Updated: 2026-06-23 15:05
VLAI
Title
Nuxt - Cross-Site Scripting via navigateTo open Option
Summary
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | vendor-advisory |
| https://github.com/nuxt/nuxt/commit/3394716d4a913… | patch |
| https://github.com/nuxt/nuxt/commit/62fc32eddf648… | patch |
| https://www.vulncheck.com/advisories/nuxt-cross-s… | third-party-advisory |
Impacted products
Date Public
2026-06-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:55:50.302247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T15:05:45.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.4.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.21.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "4.4.7",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "3.21.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "alcls01111"
}
],
"datePublic": "2026-06-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application\u0027s origin when user-controlled input is passed to navigateTo."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:04:53.739Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3"
},
{
"name": "https://github.com/nuxt/nuxt/commit/3394716d4a913cba904b028df5338f2aead50032",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/3394716d4a913cba904b028df5338f2aead50032"
},
{
"name": "https://github.com/nuxt/nuxt/commit/62fc32eddf648b00a3890141e0235d2a222b024d",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/62fc32eddf648b00a3890141e0235d2a222b024d"
},
{
"name": "VulnCheck Advisory: Nuxt - Cross-Site Scripting via navigateTo open Option",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-navigateto-open-option"
}
],
"title": "Nuxt - Cross-Site Scripting via navigateTo open Option",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56698",
"datePublished": "2026-06-22T21:04:53.739Z",
"dateReserved": "2026-06-22T17:09:16.556Z",
"dateUpdated": "2026-06-23T15:05:45.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56697 (GCVE-0-2026-56697)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:04 – Updated: 2026-06-23 13:51
VLAI
Title
Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp
Summary
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | vendor-advisory |
| https://github.com/nuxt/nuxt/commit/e447a793c4776… | patch |
| https://github.com/nuxt/nuxt/commit/6497d99dd1062… | patch |
| https://www.vulncheck.com/advisories/nuxt-open-re… | third-party-advisory |
Impacted products
Date Public
2026-06-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T13:49:36.157372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T13:51:01.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.4.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.21.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "4.4.7",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "3.21.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "alcls01111"
}
],
"datePublic": "2026-06-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:04:53.038Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3"
},
{
"name": "https://github.com/nuxt/nuxt/commit/e447a793c47766834f7497f8412a76cd56fd8ee1",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/e447a793c47766834f7497f8412a76cd56fd8ee1"
},
{
"name": "https://github.com/nuxt/nuxt/commit/6497d99dd106254abd089f6a263d7773869a343b",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/6497d99dd106254abd089f6a263d7773869a343b"
},
{
"name": "VulnCheck Advisory: Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nuxt-open-redirect-via-protocol-relative-paths-in-reloadnuxtapp"
}
],
"title": "Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56697",
"datePublished": "2026-06-22T21:04:53.038Z",
"dateReserved": "2026-06-22T17:09:16.556Z",
"dateUpdated": "2026-06-23T13:51:01.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56326 (GCVE-0-2026-56326)
Vulnerability from cvelistv5 – Published: 2026-06-22 21:04 – Updated: 2026-06-23 12:12
VLAI
Title
Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
Summary
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | vendor-advisory |
| https://github.com/nuxt/nuxt/commit/2cce6fb02e621… | patch |
| https://github.com/nuxt/nuxt/commit/1f2dd5e78c775… | patch |
| https://www.vulncheck.com/advisories/nuxt-server-… | third-party-advisory |
Impacted products
Date Public
2026-06-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T12:12:07.872599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T12:12:14.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.4.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.21.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "4.4.7",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "3.21.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "alcls01111"
}
],
"datePublic": "2026-06-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T21:04:50.975Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3"
},
{
"name": "https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/2cce6fb02e621196d56df92e05594e07469b5a6d"
},
{
"name": "https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/1f2dd5e78c77576437138e97671965573c232835"
},
{
"name": "VulnCheck Advisory: Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nuxt-server-side-open-redirect-via-path-normalization-bypass-in-navigateto"
}
],
"title": "Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56326",
"datePublished": "2026-06-22T21:04:50.975Z",
"dateReserved": "2026-06-20T13:06:29.994Z",
"dateUpdated": "2026-06-23T12:12:14.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-56317 (GCVE-0-2026-56317)
Vulnerability from cvelistv5 – Published: 2026-06-20 15:21 – Updated: 2026-06-24 17:53
VLAI
Title
Nuxt - Cross-Site Scripting via NoScript Component Slot Content
Summary
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | vendor-advisory |
| https://github.com/nuxt/nuxt/commit/4b054e9d95f8d… | patch |
| https://github.com/nuxt/nuxt/commit/7fea9fd687f1d… | patch |
| https://www.vulncheck.com/advisories/nuxt-cross-s… | third-party-advisory |
Impacted products
Date Public
2026-06-02 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T17:52:47.230996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T17:53:34.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "4.4.7",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "4.4.7",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/nuxt",
"product": "Nuxt",
"vendor": "Nuxt",
"versions": [
{
"lessThan": "3.21.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "3.21.7",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "4.4.7",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*",
"versionEndExcluding": "3.21.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "alcls01111"
}
],
"datePublic": "2026-06-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-20T15:21:56.449Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GHSA Advisory GHSA-m3q2-p4fw-w38m",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m"
},
{
"name": "https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e",
"tags": [
"patch"
],
"url": "https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e"
},
{
"name": "VulnCheck Advisory: Nuxt - Cross-Site Scripting via NoScript Component Slot Content",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content"
}
],
"title": "Nuxt - Cross-Site Scripting via NoScript Component Slot Content",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56317",
"datePublished": "2026-06-20T15:21:56.449Z",
"dateReserved": "2026-06-20T12:59:07.917Z",
"dateUpdated": "2026-06-24T17:53:34.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53722 (GCVE-0-2026-53722)
Vulnerability from cvelistv5 – Published: 2026-06-12 13:44 – Updated: 2026-06-12 15:05
VLAI
Title
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/0103ce06fbbbd… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/53284043dc212… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:05:40.713482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:05:46.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, \u003cNuxtLink\u003e did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying \u003ca\u003e element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to \u003cNuxtLink :to\u003e or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application\u0027s origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component\u0027s custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-83",
"description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:44:14.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26"
},
{
"name": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3"
},
{
"name": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0"
}
],
"source": {
"advisory": "GHSA-934w-87qh-qr26",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Reflected XSS in `\u003cNuxtLink\u003e` via unsanitised `javascript:` or `data:` URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53722",
"datePublished": "2026-06-12T13:44:14.592Z",
"dateReserved": "2026-06-10T16:43:31.241Z",
"dateUpdated": "2026-06-12T15:05:46.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53721 (GCVE-0-2026-53721)
Vulnerability from cvelistv5 – Published: 2026-06-12 13:41 – Updated: 2026-06-13 02:59
VLAI
Title
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Summary
Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/07e39cd6f26e4… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:59:24.531070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:59:37.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.21.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:41:34.022Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47"
},
{
"name": "https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb"
},
{
"name": "https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e"
}
],
"source": {
"advisory": "GHSA-mm7m-92g8-7m47",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53721",
"datePublished": "2026-06-12T13:41:34.022Z",
"dateReserved": "2026-06-10T16:43:31.241Z",
"dateUpdated": "2026-06-13T02:59:37.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47200 (GCVE-0-2026-47200)
Vulnerability from cvelistv5 – Published: 2026-06-12 12:58 – Updated: 2026-06-13 02:56
VLAI
Title
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Summary
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/pull/35092 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47200",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:54:34.720042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:56:45.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_\u003crouteName\u003e and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:58:00.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35092",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35092"
}
],
"source": {
"advisory": "GHSA-hg3f-28rg-4jxj",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47200",
"datePublished": "2026-06-12T12:58:00.708Z",
"dateReserved": "2026-05-18T22:07:37.436Z",
"dateUpdated": "2026-06-13T02:56:45.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49993 (GCVE-0-2026-49993)
Vulnerability from cvelistv5 – Published: 2026-06-12 12:57 – Updated: 2026-06-12 13:42
VLAI
Title
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Summary
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/pull/35200 | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/77187ee4015e9… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/e351de943e82d… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49993",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:42:10.549608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:42:21.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.4, \u003c 3.21.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:57:43.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5"
},
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35200",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35200"
},
{
"name": "https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05"
},
{
"name": "https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3"
}
],
"source": {
"advisory": "GHSA-x6qj-4h56-5rj5",
"discovery": "UNKNOWN"
},
"title": "@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49993",
"datePublished": "2026-06-12T12:57:43.232Z",
"dateReserved": "2026-06-02T18:30:51.283Z",
"dateUpdated": "2026-06-12T13:42:21.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45669 (GCVE-0-2026-45669)
Vulnerability from cvelistv5 – Published: 2026-06-12 12:51 – Updated: 2026-06-12 14:07
VLAI
Title
Nuxt: Reflected XSS in `navigateTo()` external redirect
Summary
Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/pull/35052 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:03:21.230017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:07:21.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4.3, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a \u003cmeta http-equiv=\"refresh\"\u003e tag. The destination URL is only sanitized by replacing \" with %22, leaving \u003c, \u003e, \u0026, and \u0027 unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content=\"\u2026\" attribute and inject arbitrary HTML/JavaScript that executes under the application\u0027s origin. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-83",
"description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:51:42.640Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35052",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35052"
}
],
"source": {
"advisory": "GHSA-fx6j-w5w5-h468",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Reflected XSS in `navigateTo()` external redirect"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45669",
"datePublished": "2026-06-12T12:51:42.640Z",
"dateReserved": "2026-05-12T21:59:25.666Z",
"dateUpdated": "2026-06-12T14:07:21.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45670 (GCVE-0-2026-45670)
Vulnerability from cvelistv5 – Published: 2026-06-12 12:51 – Updated: 2026-06-12 14:18
VLAI
Title
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Summary
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/pull/35051 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45670",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:17:53.380369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:18:09.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.4, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:51:16.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35051",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35051"
}
],
"source": {
"advisory": "GHSA-6m52-m754-pw2g",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45670",
"datePublished": "2026-06-12T12:51:16.156Z",
"dateReserved": "2026-05-12T21:59:25.666Z",
"dateUpdated": "2026-06-12T14:18:09.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46342 (GCVE-0-2026-46342)
Vulnerability from cvelistv5 – Published: 2026-06-12 12:50 – Updated: 2026-06-12 20:54
VLAI
Title
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Summary
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/pull/35077 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:38:03.802043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:54:39.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (\u003cName\u003e_\u003chashId\u003e.json) was actually issued for those inputs by \u003cNuxtIsland\u003e. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:52:25.187Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35077",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35077"
}
],
"source": {
"advisory": "GHSA-g8wj-3cr3-6w7v",
"discovery": "UNKNOWN"
},
"title": "Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46342",
"datePublished": "2026-06-12T12:50:41.589Z",
"dateReserved": "2026-05-13T18:37:30.990Z",
"dateUpdated": "2026-06-12T20:54:39.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34405 (GCVE-0-2026-34405)
Vulnerability from cvelistv5 – Published: 2026-03-31 21:16 – Updated: 2026-04-01 18:43
VLAI
Title
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
Summary
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt-modules/og-image/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nuxt-modules | og-image |
Affected:
< 6.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:43:12.726823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:43:23.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "og-image",
"vendor": "nuxt-modules",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:16:24.918Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h"
}
],
"source": {
"advisory": "GHSA-mg36-wvcr-m75h",
"discovery": "UNKNOWN"
},
"title": "Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34405",
"datePublished": "2026-03-31T21:16:24.918Z",
"dateReserved": "2026-03-27T13:45:29.620Z",
"dateUpdated": "2026-04-01T18:43:23.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34404 (GCVE-0-2026-34404)
Vulnerability from cvelistv5 – Published: 2026-03-31 21:16 – Updated: 2026-04-01 13:37
VLAI
Title
Nuxt OG Image vulnerable to DoS via image generation
Summary
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt-modules/og-image/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nuxt-modules | og-image |
Affected:
< 6.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34404",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:37:22.582151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:37:28.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "og-image",
"vendor": "nuxt-modules",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:16:07.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76"
}
],
"source": {
"advisory": "GHSA-c7xp-q6q8-hg76",
"discovery": "UNKNOWN"
},
"title": "Nuxt OG Image vulnerable to DoS via image generation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34404",
"datePublished": "2026-03-31T21:16:07.824Z",
"dateReserved": "2026-03-27T13:45:29.620Z",
"dateUpdated": "2026-04-01T13:37:28.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52662 (GCVE-0-2025-52662)
Vulnerability from cvelistv5 – Published: 2025-11-07 00:43 – Updated: 2025-12-01 20:12
VLAI
Summary
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.
More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
Severity
6.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Vercel | Nuxt Devtools |
Affected:
2.6.3 , ≤ 2.6.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:37:52.258761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T20:12:06.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nuxt Devtools",
"vendor": "Vercel",
"versions": [
{
"lessThanOrEqual": "2.6.3",
"status": "affected",
"version": "2.6.3",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.\r\n\r\nMore details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T00:43:27.913Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://github.com/nuxt/devtools/commit/7cadbbe9"
},
{
"url": "https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-52662",
"datePublished": "2025-11-07T00:43:27.913Z",
"dateReserved": "2025-06-18T15:00:00.894Z",
"dateUpdated": "2025-12-01T20:12:06.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59414 (GCVE-0-2025-59414)
Vulnerability from cvelistv5 – Published: 2025-09-17 18:39 – Updated: 2025-09-17 19:42
VLAI
Title
Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/2566d2046bccb… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T19:42:38.698134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T19:42:44.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.6.0 \u003c 3.19.0"
},
{
"status": "affected",
"version": "\u003e= 4.0.0 \u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt\u0027s Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:39:38.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6"
},
{
"name": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595"
}
],
"source": {
"advisory": "GHSA-p6jq-8vc4-79f6",
"discovery": "UNKNOWN"
},
"title": "Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59414",
"datePublished": "2025-09-17T18:39:38.193Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-17T19:42:44.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27415 (GCVE-0-2025-27415)
Vulnerability from cvelistv5 – Published: 2025-03-19 19:02 – Updated: 2025-03-19 19:22
VLAI
Title
Nuxt allows DOS via cache poisoning with payload rendering response
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T19:22:15.796670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:22:25.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:02:04.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
}
],
"source": {
"advisory": "GHSA-jvhm-gjrh-3h93",
"discovery": "UNKNOWN"
},
"title": "Nuxt allows DOS via cache poisoning with payload rendering response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27415",
"datePublished": "2025-03-19T19:02:04.824Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-19T19:22:25.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-53722 (GCVE-0-2026-53722)
Vulnerability from nvd – Published: 2026-06-12 13:44 – Updated: 2026-06-12 15:05
VLAI
Title
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/0103ce06fbbbd… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/53284043dc212… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:05:40.713482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:05:46.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, \u003cNuxtLink\u003e did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying \u003ca\u003e element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to \u003cNuxtLink :to\u003e or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application\u0027s origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component\u0027s custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-83",
"description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:44:14.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26"
},
{
"name": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3"
},
{
"name": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0"
}
],
"source": {
"advisory": "GHSA-934w-87qh-qr26",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Reflected XSS in `\u003cNuxtLink\u003e` via unsanitised `javascript:` or `data:` URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53722",
"datePublished": "2026-06-12T13:44:14.592Z",
"dateReserved": "2026-06-10T16:43:31.241Z",
"dateUpdated": "2026-06-12T15:05:46.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-53721 (GCVE-0-2026-53721)
Vulnerability from nvd – Published: 2026-06-12 13:41 – Updated: 2026-06-13 02:59
VLAI
Title
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Summary
Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/07e39cd6f26e4… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:59:24.531070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:59:37.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.21.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-178",
"description": "CWE-178: Improper Handling of Case Sensitivity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:41:34.022Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47"
},
{
"name": "https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/07e39cd6f26e407b4192b7865bd17bc44536b9bb"
},
{
"name": "https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e"
}
],
"source": {
"advisory": "GHSA-mm7m-92g8-7m47",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53721",
"datePublished": "2026-06-12T13:41:34.022Z",
"dateReserved": "2026-06-10T16:43:31.241Z",
"dateUpdated": "2026-06-13T02:59:37.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49993 (GCVE-0-2026-49993)
Vulnerability from nvd – Published: 2026-06-12 12:57 – Updated: 2026-06-12 13:42
VLAI
Title
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Summary
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/pull/35200 | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/77187ee4015e9… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/commit/e351de943e82d… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49993",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T13:42:10.549608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T13:42:21.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.4, \u003c 3.21.7"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.4.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:57:43.232Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5"
},
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35200",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35200"
},
{
"name": "https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/77187ee4015e9267fb464951542a3e09e8b5fa05"
},
{
"name": "https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/e351de943e82db16970618b60dc7fdbaa58630f3"
}
],
"source": {
"advisory": "GHSA-x6qj-4h56-5rj5",
"discovery": "UNKNOWN"
},
"title": "@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49993",
"datePublished": "2026-06-12T12:57:43.232Z",
"dateReserved": "2026-06-02T18:30:51.283Z",
"dateUpdated": "2026-06-12T13:42:21.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47200 (GCVE-0-2026-47200)
Vulnerability from nvd – Published: 2026-06-12 12:58 – Updated: 2026-06-13 02:56
VLAI
Title
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Summary
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/pull/35092 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47200",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:54:34.720042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:56:45.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.11.0, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_\u003crouteName\u003e and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:58:00.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35092",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35092"
}
],
"source": {
"advisory": "GHSA-hg3f-28rg-4jxj",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47200",
"datePublished": "2026-06-12T12:58:00.708Z",
"dateReserved": "2026-05-18T22:07:37.436Z",
"dateUpdated": "2026-06-13T02:56:45.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46342 (GCVE-0-2026-46342)
Vulnerability from nvd – Published: 2026-06-12 12:50 – Updated: 2026-06-12 20:54
VLAI
Title
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Summary
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/pull/35077 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:38:03.802043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:54:39.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (\u003cName\u003e_\u003chashId\u003e.json) was actually issued for those inputs by \u003cNuxtIsland\u003e. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:52:25.187Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35077",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35077"
}
],
"source": {
"advisory": "GHSA-g8wj-3cr3-6w7v",
"discovery": "UNKNOWN"
},
"title": "Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46342",
"datePublished": "2026-06-12T12:50:41.589Z",
"dateReserved": "2026-05-13T18:37:30.990Z",
"dateUpdated": "2026-06-12T20:54:39.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45670 (GCVE-0-2026-45670)
Vulnerability from nvd – Published: 2026-06-12 12:51 – Updated: 2026-06-12 14:18
VLAI
Title
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Summary
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_MISC |
| https://github.com/nuxt/nuxt/pull/35051 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45670",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:17:53.380369Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:18:09.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.15.4, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:51:16.156Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g"
},
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35051",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35051"
}
],
"source": {
"advisory": "GHSA-6m52-m754-pw2g",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45670",
"datePublished": "2026-06-12T12:51:16.156Z",
"dateReserved": "2026-05-12T21:59:25.666Z",
"dateUpdated": "2026-06-12T14:18:09.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45669 (GCVE-0-2026-45669)
Vulnerability from nvd – Published: 2026-06-12 12:51 – Updated: 2026-06-12 14:07
VLAI
Title
Nuxt: Reflected XSS in `navigateTo()` external redirect
Summary
Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/pull/35052 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45669",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:03:21.230017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:07:21.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.4.3, \u003c 3.21.6"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-alpha.1, \u003c 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a \u003cmeta http-equiv=\"refresh\"\u003e tag. The destination URL is only sanitized by replacing \" with %22, leaving \u003c, \u003e, \u0026, and \u0027 unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content=\"\u2026\" attribute and inject arbitrary HTML/JavaScript that executes under the application\u0027s origin. This issue has been patched in versions 3.21.6 and 4.4.6."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-83",
"description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T12:51:42.640Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468"
},
{
"name": "https://github.com/nuxt/nuxt/pull/35052",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/pull/35052"
}
],
"source": {
"advisory": "GHSA-fx6j-w5w5-h468",
"discovery": "UNKNOWN"
},
"title": "Nuxt: Reflected XSS in `navigateTo()` external redirect"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45669",
"datePublished": "2026-06-12T12:51:42.640Z",
"dateReserved": "2026-05-12T21:59:25.666Z",
"dateUpdated": "2026-06-12T14:07:21.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34405 (GCVE-0-2026-34405)
Vulnerability from nvd – Published: 2026-03-31 21:16 – Updated: 2026-04-01 18:43
VLAI
Title
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
Summary
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt-modules/og-image/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nuxt-modules | og-image |
Affected:
< 6.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:43:12.726823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:43:23.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "og-image",
"vendor": "nuxt-modules",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:16:24.918Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h"
}
],
"source": {
"advisory": "GHSA-mg36-wvcr-m75h",
"discovery": "UNKNOWN"
},
"title": "Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34405",
"datePublished": "2026-03-31T21:16:24.918Z",
"dateReserved": "2026-03-27T13:45:29.620Z",
"dateUpdated": "2026-04-01T18:43:23.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34404 (GCVE-0-2026-34404)
Vulnerability from nvd – Published: 2026-03-31 21:16 – Updated: 2026-04-01 13:37
VLAI
Title
Nuxt OG Image vulnerable to DoS via image generation
Summary
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt-modules/og-image/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nuxt-modules | og-image |
Affected:
< 6.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34404",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:37:22.582151Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:37:28.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "og-image",
"vendor": "nuxt-modules",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:16:07.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c7xp-q6q8-hg76"
}
],
"source": {
"advisory": "GHSA-c7xp-q6q8-hg76",
"discovery": "UNKNOWN"
},
"title": "Nuxt OG Image vulnerable to DoS via image generation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34404",
"datePublished": "2026-03-31T21:16:07.824Z",
"dateReserved": "2026-03-27T13:45:29.620Z",
"dateUpdated": "2026-04-01T13:37:28.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52662 (GCVE-0-2025-52662)
Vulnerability from nvd – Published: 2025-11-07 00:43 – Updated: 2025-12-01 20:12
VLAI
Summary
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.
More details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools
Severity
6.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Vercel | Nuxt Devtools |
Affected:
2.6.3 , ≤ 2.6.3
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:37:52.258761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-01T20:12:06.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nuxt Devtools",
"vendor": "Vercel",
"versions": [
{
"lessThanOrEqual": "2.6.3",
"status": "affected",
"version": "2.6.3",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.\r\n\r\nMore details: https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T00:43:27.913Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://github.com/nuxt/devtools/commit/7cadbbe9"
},
{
"url": "https://vercel.com/changelog/cve-2025-52662-xss-on-nuxt-devtools"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2025-52662",
"datePublished": "2025-11-07T00:43:27.913Z",
"dateReserved": "2025-06-18T15:00:00.894Z",
"dateUpdated": "2025-12-01T20:12:06.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59414 (GCVE-0-2025-59414)
Vulnerability from nvd – Published: 2025-09-17 18:39 – Updated: 2025-09-17 19:42
VLAI
Title
Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/2566d2046bccb… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T19:42:38.698134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T19:42:44.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.6.0 \u003c 3.19.0"
},
{
"status": "affected",
"version": "\u003e= 4.0.0 \u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt\u0027s Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. The vulnerability occurs in the client-side payload revival process (revive-payload.client.ts) where Nuxt Islands are automatically fetched when encountering serialized __nuxt_island objects. During prerendering, if an API endpoint returns user-controlled data containing a crafted __nuxt_island object, he data gets serialized with devalue.stringify and stored in the prerendered page. When a client navigates to the prerendered page, devalue.parse deserializes the payload. The Island reviver attempts to fetch /__nuxt_island/${key}.json where key could contain path traversal sequences. Update to Nuxt 3.19.0+ or 4.1.0+."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:39:38.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-p6jq-8vc4-79f6"
},
{
"name": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/2566d2046bccb158d98fb13e42ce4b2c33fb2595"
}
],
"source": {
"advisory": "GHSA-p6jq-8vc4-79f6",
"discovery": "UNKNOWN"
},
"title": "Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59414",
"datePublished": "2025-09-17T18:39:38.193Z",
"dateReserved": "2025-09-15T19:13:16.903Z",
"dateUpdated": "2025-09-17T19:42:44.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27415 (GCVE-0-2025-27415)
Vulnerability from nvd – Published: 2025-03-19 19:02 – Updated: 2025-03-19 19:22
VLAI
Title
Nuxt allows DOS via cache poisoning with payload rendering response
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27415",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T19:22:15.796670Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:22:25.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as https://mysite.com/?/_payload.json which will be rendered as JSON. If the CDN in front of a Nuxt site ignores the query string when determining whether to cache a route, then this JSON response could be served to future visitors to the site. An attacker can perform this attack to a vulnerable site in order to make a site unavailable indefinitely. It is also possible in the case where the cache will be reset to make a small script to send a request each X seconds (=caching duration) so that the cache is permanently poisoned making the site completely unavailable. This vulnerability is fixed in 3.16.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T19:02:04.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-jvhm-gjrh-3h93"
}
],
"source": {
"advisory": "GHSA-jvhm-gjrh-3h93",
"discovery": "UNKNOWN"
},
"title": "Nuxt allows DOS via cache poisoning with payload rendering response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27415",
"datePublished": "2025-03-19T19:02:04.824Z",
"dateReserved": "2025-02-24T15:51:17.268Z",
"dateUpdated": "2025-03-19T19:22:25.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24361 (GCVE-0-2025-24361)
Vulnerability from nvd – Published: 2025-01-25 00:53 – Updated: 2025-02-12 20:41
VLAI
Title
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
Summary
Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nuxt/nuxt/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/nuxt/nuxt/commit/7eeb910bf4acc… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24361",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:13:25.340238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nuxt",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.15.3"
},
{
"status": "affected",
"version": "\u003e= 3.12.2, \u003c 3.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject a malicious script in their site and run the script. By using `Function::toString` against the values in `window.webpackChunknuxt_app`, the attacker can get the source code. Version 3.15.13 of Nuxt patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T00:53:23.400Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99"
},
{
"name": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nuxt/nuxt/commit/7eeb910bf4accb1e0193b9178c746f06ad3dd88f"
}
],
"source": {
"advisory": "GHSA-4gf7-ff8x-hq99",
"discovery": "UNKNOWN"
},
"title": "Opening a malicious website while running a Nuxt dev server could allow read-only access to code"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24361",
"datePublished": "2025-01-25T00:53:23.400Z",
"dateReserved": "2025-01-20T15:18:26.989Z",
"dateUpdated": "2025-02-12T20:41:32.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}