CVE-2026-45669

MEDIUM

Nuxt: Reflected XSS in `navigateTo()` external redirect

Title source: cna
STIX 2.1

Description

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

References (2)

Core 2
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/nuxt/nuxt/pull/35052

Scores

CVSS v3 5.4
EPSS 0.0016
EPSS Percentile 6.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-83
Status published
Products (5)
npm/nuxt 3.4.3 - 3.21.6npm
npm/nuxt 4.0.0-alpha.1 - 4.4.6npm
nuxt/nuxt 3.4.3 - 3.21.6
nuxt/nuxt >= 3.4.3, < 3.21.6
nuxt/nuxt >= 4.0.0-alpha.1, < 4.4.6
Published Jun 12, 2026
Tracked Since Jun 12, 2026