Vulnerability in Vue.js Web Development Framework Affecting Nuxt by Nuxt
CVE-2026-46342
What is CVE-2026-46342?
In the Nuxt framework versions specified, the /__nuxt_island/* endpoint is susceptible to an improper input validation vulnerability. This issue arises because attacker-controlled props query or body parameters can be rendered without a thorough validation process. Consequently, if the URL-resident hash, which is computed client-side, is not verified server-side, it leads to a situation where the same URL can yield different responses based on the query parameters provided. This creates an opportunity for attackers to manipulate the responses by injecting unvalidated parameters, potentially leading to a wide range of security concerns. Versions 3.21.6 and 4.4.6 have addressed this vulnerability.
Affected Version(s)
nuxt >= 3.1.0, < 3.21.6 < 3.1.0, 3.21.6
nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6
