Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.
AnalysisAI
Nuxt OG Image versions prior to 6.2.5 allow cross-site scripting (XSS) attacks via arbitrary HTML attribute injection in the image-generation endpoint at /_og/d/, affecting any unauthenticated remote user who can craft a malicious URI. An attacker can inject attributes into the HTML page body to execute JavaScript in the context of users' browsers, compromising confidentiality and integrity without service disruption. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
Nuxt OG Image is a module that dynamically generates Open Graph meta image tags using Vue templates within Nuxt applications. The vulnerability resides in improper input sanitization within the image-generation component accessible via the URI path /_og/d/ (and /og-image/ in older versions). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting), indicating that user-supplied input from the URI parameters is rendered into HTML without adequate escaping or validation. This allows an attacker to break out of intended attribute contexts and inject arbitrary HTML attributes or elements that execute client-side scripts.
RemediationAI
Upgrade Nuxt OG Image to version 6.2.5 or later immediately. Vendor-released patch: 6.2.5. Administrators unable to upgrade immediately should restrict access to the /_og/d/ and /og-image/ endpoints using reverse proxy rules or firewall policies to limit exposure, and implement Content Security Policy (CSP) headers with script-src restrictions to mitigate XSS impact. Validation and sanitization of all URI parameters passed to the OG image generation component should be enforced at the application level as a defense-in-depth measure. Refer to the GitHub Security Advisory at https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h for additional details and community guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17670
GHSA-mg36-wvcr-m75h