CVE-2026-45669

June 12, 2026, 4:01 p.m.

5.3
Medium

Description

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

Product(s) Impacted

Vendor Product Versions
Nuxt
  • Nuxt
  • 3.4.3-3.21.6, 4.0.0-alpha.1-4.4.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-83
Improper Neutralization of Script in Attributes in a Web Page
The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nuxt nuxt 3.4.3-3.21.6 / / / / / / /
a nuxt nuxt 4.0.0-alpha.1-4.4.6 / / / / / / /

References

https://github.com/nuxt/nuxt/pull/35052
https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468
https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468

Tags

[email protected]
CWE-83
2026-06-12
CVE-2026-45669

CVSS Score

5.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 12, 2026, 2:16 p.m.
Last Modified: June 12, 2026, 4:01 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.