Cross-Site Scripting Vulnerability in Nuxt Framework
CVE-2026-45669
5.3MEDIUM
What is CVE-2026-45669?
The Nuxt Framework versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 are susceptible to cross-site scripting through the navigateTo() function when used with external URLs. Specifically, the function generates a server-side HTML redirect containing a tag that inadequately sanitizes the destination URL. This oversight allows attackers to manipulate the URL input, leading to potential injection of arbitrary HTML and JavaScript code that executes in the context of the application’s origin. It is imperative for users to upgrade to the patched versions 3.21.6 and 4.4.6 to mitigate this security risk.
Affected Version(s)
nuxt >= 3.4.3, < 3.21.6 < 3.4.3, 3.21.6
nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6
