CVE Catalog

CVE-2026-46342

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

1th percentile — higher than 1% of all known CVEs

Summary

In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as in @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders island components without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs. This issue has been patched in versions 3.21.6 and 4.4.6.

Risk Assessment

An attacker could exploit this vulnerability to render unauthorized components, potentially leading to data exposure or unwanted actions within the application.

Recommendation

It is recommended to upgrade to versions 3.21.6 or 4.4.6 to mitigate this vulnerability and conduct a security audit of the application.

Original NVD description (English source)

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS