CVE-2026-46342
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as in @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders island components without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs. This issue has been patched in versions 3.21.6 and 4.4.6.
Risk Assessment
An attacker could exploit this vulnerability to render unauthorized components, potentially leading to data exposure or unwanted actions within the application.
Recommendation
It is recommended to upgrade to versions 3.21.6 or 4.4.6 to mitigate this vulnerability and conduct a security audit of the application.
Original NVD description (English source)
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

