CVE-2026-56317

Summary

Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.

Affected Software

VendorProductVersion RangeStatus
NuxtNuxt4.0.0 < 4.4.7affected
NuxtNuxt4.4.7unaffected
NuxtNuxt0 < 3.21.7affected
NuxtNuxt3.21.7unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References