CVE-2026-45669 | THREATINT

Description

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

PUBLISHED Reserved 2026-05-12 | Published 2026-06-12 | Updated 2026-06-12 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-83: Improper Neutralization of Script in Attributes in a Web Page

Product status

>= 3.4.3, < 3.21.6

affected

>= 4.0.0-alpha.1, < 4.4.6

affected

References

github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468 exploit

github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468

github.com/nuxt/nuxt/pull/35052

cve.org (CVE-2026-45669)

nvd.nist.gov (CVE-2026-45669)

Download JSON