CVE-2026-45669

Summary

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

Affected Software

VendorProductVersion RangeStatus
nuxtnuxt>= 3.4.3, < 3.21.6affected
nuxtnuxt>= 4.0.0-alpha.1, < 4.4.6affected

Weaknesses

  • CWE-83: CWE-83: Improper Neutralization of Script in Attributes in a Web Page

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References