Incomplete Fix in Nuxt Framework Affects Development Security
CVE-2026-49993
5.9MEDIUM
What is CVE-2026-49993?
The Nuxt framework, used for web development with Vue.js, presents a security risk through the @nuxt/rspack-builder and @nuxt/webpack-builder components. Developers using versions from 3.15.4 to earlier than 3.21.7 and 4.0.0 to earlier than 4.4.7 may inadvertently expose their source code if their development server is accessible over non-loopback addresses. This creates a potential attack vector if a malicious site is accessed while on the same network. An incomplete fix for a previous vulnerability further exacerbates this issue. The problem has been resolved in the latest versions, 3.21.7 and 4.4.7, urging all users to update promptly to mitigate risks.
Affected Version(s)
nuxt >= 3.15.4, < 3.21.7 < 3.15.4, 3.21.7
nuxt >= 4.0.0, < 4.4.7 < 4.0.0, 4.4.7
