CVE-2026-46342

Summary

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

Affected Software

VendorProductVersion RangeStatus
nuxtnuxt>= 3.1.0, < 3.21.6affected
nuxtnuxt>= 4.0.0-alpha.1, < 4.4.6affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-349: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
  • CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References