Cross-Site Scripting Vulnerability in Nuxt Framework
CVE-2026-45669

5.3MEDIUM

Key Information:

Vendor

Nuxt

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-45669?

The Nuxt Framework versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 are susceptible to cross-site scripting through the navigateTo() function when used with external URLs. Specifically, the function generates a server-side HTML redirect containing a tag that inadequately sanitizes the destination URL. This oversight allows attackers to manipulate the URL input, leading to potential injection of arbitrary HTML and JavaScript code that executes in the context of the application’s origin. It is imperative for users to upgrade to the patched versions 3.21.6 and 4.4.6 to mitigate this security risk.

Affected Version(s)

nuxt >= 3.4.3, < 3.21.6 < 3.4.3, 3.21.6

nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.