CVE-2026-56317
2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Nuxt | Nuxt | 4.0.0 < 4.4.7 | affected |
| Nuxt | Nuxt | 4.4.7 | unaffected |
| Nuxt | Nuxt | 0 < 3.21.7 | affected |
| Nuxt | Nuxt | 3.21.7 | unaffected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m
- https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e
- https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e
- https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.