Skip to main content

Og Image EUVDEUVD-2026-17670

| CVE-2026-34405 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 GitHub_M GHSA-mg36-wvcr-m75h
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 21:46 euvd
EUVD-2026-17670
Analysis Generated
Mar 31, 2026 - 21:46 vuln.today
CVE Published
Mar 31, 2026 - 21:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.

AnalysisAI

Nuxt OG Image versions prior to 6.2.5 allow cross-site scripting (XSS) attacks via arbitrary HTML attribute injection in the image-generation endpoint at /_og/d/, affecting any unauthenticated remote user who can craft a malicious URI. An attacker can inject attributes into the HTML page body to execute JavaScript in the context of users' browsers, compromising confidentiality and integrity without service disruption. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

Nuxt OG Image is a module that dynamically generates Open Graph meta image tags using Vue templates within Nuxt applications. The vulnerability resides in improper input sanitization within the image-generation component accessible via the URI path /_og/d/ (and /og-image/ in older versions). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting), indicating that user-supplied input from the URI parameters is rendered into HTML without adequate escaping or validation. This allows an attacker to break out of intended attribute contexts and inject arbitrary HTML attributes or elements that execute client-side scripts.

RemediationAI

Upgrade Nuxt OG Image to version 6.2.5 or later immediately. Vendor-released patch: 6.2.5. Administrators unable to upgrade immediately should restrict access to the /_og/d/ and /og-image/ endpoints using reverse proxy rules or firewall policies to limit exposure, and implement Content Security Policy (CSP) headers with script-src restrictions to mitigate XSS impact. Validation and sanitization of all URI parameters passed to the OG image generation component should be enforced at the application level as a defense-in-depth measure. Refer to the GitHub Security Advisory at https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h for additional details and community guidance.

Share

EUVD-2026-17670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy