Server-Side Rendering Vulnerability in Nuxt Framework Versions
CVE-2026-47200
6.3MEDIUM
What is CVE-2026-47200?
In specific versions of the Nuxt framework, a server-side rendering vulnerability can lead to route middleware being bypassed due to improper handling of .server.vue files. When the experimental.componentIslands feature is enabled, these files are automatically registered as server islands without properly invoking the Vue Router. As a result, essential middleware defined on the client pages does not execute, potentially exposing applications to risks associated with unverified routing logic. Affected versions exist in both Nuxt and @nuxt/nitro-server, but fixes have been applied in more recent releases.
Affected Version(s)
nuxt >= 3.11.0, < 3.21.6 < 3.11.0, 3.21.6
nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6
