Home

Description

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.

PUBLISHED Reserved 2026-06-22 | Published 2026-06-22 | Updated 2026-06-23 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

4.0.0 (semver) before 4.4.7
affected

4.4.7 (semver)
unaffected

Default status
unaffected

Any version before 3.21.7
affected

3.21.7 (semver)
unaffected

Credits

alcls01111 reporter

References

github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3 (GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)) vendor-advisory

github.com/...ommit/3394716d4a913cba904b028df5338f2aead50032 patch

github.com/...ommit/62fc32eddf648b00a3890141e0235d2a222b024d patch

www.vulncheck.com/...te-scripting-via-navigateto-open-option (VulnCheck Advisory: Nuxt - Cross-Site Scripting via navigateTo open Option) third-party-advisory

cve.org (CVE-2026-56698)

nvd.nist.gov (CVE-2026-56698)

Download JSON