CVE Catalog

CVE-2026-56698

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile — higher than 13% of all known CVEs

Summary

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin.

Risk Assessment

The lack of URL validation may lead to the execution of malicious code, posing a serious threat to the application's security and user data. Attackers can exploit this vulnerability to take control of the application.

Recommendation

It is recommended to update Nuxt to versions 4.4.7 or 3.21.7 and implement additional input validation mechanisms to prevent the injection of malicious scripts.

Original NVD description (English source)

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS