CVE-2026-46342 | THREATINT

Description

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-12 | Updated 2026-06-12 | Assigner GitHub_M

LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Product status

>= 3.1.0, < 3.21.6

affected

>= 4.0.0-alpha.1, < 4.4.6

affected

References

github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v

github.com/nuxt/nuxt/pull/35077

cve.org (CVE-2026-46342)

nvd.nist.gov (CVE-2026-46342)

Download JSON