CVE-2026-56698
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin.
Risk Assessment
The lack of URL validation may lead to the execution of malicious code, posing a serious threat to the application's security and user data. Attackers can exploit this vulnerability to take control of the application.
Recommendation
It is recommended to update Nuxt to versions 4.4.7 or 3.21.7 and implement additional input validation mechanisms to prevent the injection of malicious scripts.
Original NVD description (English source)
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.

