Server-Side Rendering Vulnerability in Nuxt Framework Versions
CVE-2026-47200

6.3MEDIUM

Key Information:

Vendor

Nuxt

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47200?

In specific versions of the Nuxt framework, a server-side rendering vulnerability can lead to route middleware being bypassed due to improper handling of .server.vue files. When the experimental.componentIslands feature is enabled, these files are automatically registered as server islands without properly invoking the Vue Router. As a result, essential middleware defined on the client pages does not execute, potentially exposing applications to risks associated with unverified routing logic. Affected versions exist in both Nuxt and @nuxt/nitro-server, but fixes have been applied in more recent releases.

Affected Version(s)

nuxt >= 3.11.0, < 3.21.6 < 3.11.0, 3.21.6

nuxt >= 4.0.0-alpha.1, < 4.4.6 < 4.0.0-alpha.1, 4.4.6

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.