Incomplete Fix in Nuxt Framework Affects Development Security
CVE-2026-49993

5.9MEDIUM

Key Information:

Vendor

Nuxt

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-49993?

The Nuxt framework, used for web development with Vue.js, presents a security risk through the @nuxt/rspack-builder and @nuxt/webpack-builder components. Developers using versions from 3.15.4 to earlier than 3.21.7 and 4.0.0 to earlier than 4.4.7 may inadvertently expose their source code if their development server is accessible over non-loopback addresses. This creates a potential attack vector if a malicious site is accessed while on the same network. An incomplete fix for a previous vulnerability further exacerbates this issue. The problem has been resolved in the latest versions, 3.21.7 and 4.4.7, urging all users to update promptly to mitigate risks.

Affected Version(s)

nuxt >= 3.15.4, < 3.21.7 < 3.15.4, 3.21.7

nuxt >= 4.0.0, < 4.4.7 < 4.0.0, 4.4.7

References

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.