Vulnerability in Vue.js Web Development Framework Affecting Nuxt by Nuxt
CVE-2026-46342

2.3LOW

Key Information:

Vendor

Nuxt

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-46342?

In the Nuxt framework versions specified, the /__nuxt_island/* endpoint is susceptible to an improper input validation vulnerability. This issue arises because attacker-controlled props query or body parameters can be rendered without a thorough validation process. Consequently, if the URL-resident hash, which is computed client-side, is not verified server-side, it leads to a situation where the same URL can yield different responses based on the query parameters provided. This creates an opportunity for attackers to manipulate the responses by injecting unvalidated parameters, potentially leading to a wide range of security concerns. Versions 3.21.6 and 4.4.6 have addressed this vulnerability.

Affected Version(s)

nuxt >= 3.1.0, < 3.21.6 < 3.1.0, 3.21.6

nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.