CVE-2026-53721 | THREATINT

Description

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-12 | Updated 2026-06-13 | Assigner GitHub_M

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-178: Improper Handling of Case Sensitivity

CWE-863: Incorrect Authorization

Product status

>= 3.11.0, < 3.21.7

affected

>= 4.0.0, < 4.4.7

affected

References

github.com/nuxt/nuxt/security/advisories/GHSA-mm7m-92g8-7m47

github.com/...ommit/07e39cd6f26e407b4192b7865bd17bc44536b9bb

github.com/...ommit/3f3e3fa7b5eec8e495f4f8ce0a54813a8875a11e

cve.org (CVE-2026-53721)

nvd.nist.gov (CVE-2026-53721)

Download JSON