GHSA-MG36-WVCR-M75H

Vulnerability from github – Published: 2026-03-31 23:27 – Updated: 2026-04-06 16:39
VLAI?
Summary
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes
Details

Product: Nuxt OG Image Version: 6.1.2 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation Description: Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection. Impact: Client-Side JavaScript Execution Exploitation condition: An external user Mitigation: Correct the logic of parsing GET parameters and their subsequent implementation into the generated page. Researcher: Dmitry Prokhorov (Positive Technologies)

Research

During the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero‑day vulnerability was discovered. This research revealed that the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. The vulnerability was reproduced using the standard configuration and the default templates.

Listing 1. The content of the configuration file nuxt.config.ts 

export default defineNuxtConfig({
  modules: ['nuxt-og-image'],
  devServer: {
    host: 'web-test.local',
    port: 3000
  },
  site: {
    url: 'http://web-test.local:3000',
  },
  ogImage: {
    fonts: [
      'Inter:400', 
      'Inter:700'
    ],
  }
})

Vulnerability reproduction

To demonstrate the proof‑of‑concept, follow the URI: /_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie)&autofocus The injected parameters onmouseover=alert(document.cookie) and autofocus are treated as attributes and are inserted directly into the generated HTML page.

Listing 2. HTTP-request example

GET /_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie) HTTP/1.1
Host: web-test.local:3000

Figure 1. The injected attribute in the HTML body image

Figure 2. JavaScript code execution image

Credits

Researcher: Dmitry Prokhorov (Positive Technologies)

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt-og-image"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:27:03Z",
    "nvd_published_at": "2026-03-31T22:16:18Z",
    "severity": "MODERATE"
  },
  "details": "**Product:** Nuxt OG Image \n**Version:** 6.1.2\n**CWE-ID:** [CWE-79](https://cwe.mitre.org/data/definitions/79.html): Improper Neutralization of Input During Web Page Generation\n**Description:** Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection.\n**Impact:** Client-Side JavaScript Execution\n**Exploitation condition:** An external user\n**Mitigation:** Correct the logic of parsing GET parameters and their subsequent implementation into the generated page.\n**Researcher:** Dmitry Prokhorov (Positive Technologies)\n\n## Research \nDuring the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero\u2011day vulnerability was discovered.\nThis research revealed that the image\u2011generation component by the URI: `/_og/d/` (and, in older versions, `/og-image/`) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. The vulnerability was reproduced using the standard configuration and the default templates.\n\n\n_Listing 1. The content of the configuration file `nuxt.config.ts`_ \n```\nexport default defineNuxtConfig({\n  modules: [\u0027nuxt-og-image\u0027],\n  devServer: {\n    host: \u0027web-test.local\u0027,\n    port: 3000\n  },\n  site: {\n    url: \u0027http://web-test.local:3000\u0027,\n  },\n  ogImage: {\n    fonts: [\n      \u0027Inter:400\u0027, \n      \u0027Inter:700\u0027\n    ],\n  }\n})\n```\n\n## Vulnerability reproduction\nTo demonstrate the proof\u2011of\u2011concept, follow the URI: `/_og/d/og.html?width=1000\u0026height=1000\u0026onmouseover=alert(document.cookie)\u0026autofocus`\nThe injected parameters `onmouseover=alert(document.cookie)` and `autofocus` are treated as attributes and are inserted directly into the generated HTML page.\n\n\n_Listing 2. HTTP-request example_\n```\nGET /_og/d/og.html?width=1000\u0026height=1000\u0026onmouseover=alert(document.cookie) HTTP/1.1\nHost: web-test.local:3000\n```\n\n_Figure 1. The injected attribute in the HTML body_\n\u003cimg width=\"974\" height=\"670\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d442c235-71a5-4da9-a963-8cf4b8614745\" /\u003e\n\n_Figure 2. JavaScript code execution_\n\u003cimg width=\"974\" height=\"291\" alt=\"image\" src=\"https://github.com/user-attachments/assets/01579f19-8e80-4fae-8516-5903370ee6d8\" /\u003e\n\n\n## Credits\nResearcher: Dmitry Prokhorov (Positive Technologies)",
  "id": "GHSA-mg36-wvcr-m75h",
  "modified": "2026-04-06T16:39:56Z",
  "published": "2026-03-31T23:27:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34405"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt-modules/og-image"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.