Open Redirect Vulnerability in Nuxt by Nuxt.js
CVE-2026-56697
5.3MEDIUM
What is CVE-2026-56697?
Nuxt versions prior to 4.4.7 (for v4) and 3.21.7 (for v3) have a security flaw in the reloadNuxtApp function that accepts protocol-relative paths. This allows attackers to redirect users to malicious hosts, such as //evil.com, bypassing security checks for script protocols. Consequently, this could facilitate phishing attacks and the theft of OAuth authorization codes by redirecting users to attacker-controlled sites.
Affected Version(s)
Nuxt 4.0.0 < 4.4.7
Nuxt 0 < 3.21.7
Nuxt 4.4.7