CVE-2026-46342

MEDIUM

Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

Title source: cna

Description

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v

X_Refsource_Misc x_refsource_misc

https://github.com/nuxt/nuxt/pull/35077

Scores

CVSS v3 5.4

EPSS 0.0016

EPSS Percentile 5.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-349 CWE-444 CWE-79

Status published

Products (8)

npm/nuxt 3.1.0 - 3.21.6npm

npm/nuxt 4.0.0-alpha.1 - 4.4.6npm

nuxt/nitro-server 3.20.0 - 3.21.6npm

nuxt/nitro-server 4.2.0 - 4.4.6npm

nuxt/nuxt 3.1.0 - 3.21.6

nuxt/nuxt >= 3.1.0, < 3.21.6

nuxt/nuxt >= 4.0.0-alpha.1, < 4.4.6

nuxt/nuxt\/nitro-server 3.20.0 - 3.21.6

Published Jun 12, 2026

Tracked Since Jun 12, 2026