CVE-2026-53722
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
The Nuxt framework prior to versions 3.21.7 and 4.4.7 did not validate the URL scheme for values bound to the to or href attributes of the <NuxtLink> component. This allows attackers to inject malicious scripts, leading to reflected XSS attacks.
Risk Assessment
Organizations may be exposed to XSS attacks that could result in user data theft or session hijacking. Exploiting this vulnerability may also lead to phishing scams.
Recommendation
It is recommended to update the Nuxt framework to versions 3.21.7 or 4.4.7 to mitigate this vulnerability. Additionally, conduct an audit of the application to identify potential injection points for malicious URLs.
Original NVD description (English source)
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.

