CVE-2026-56698

Summary

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.

Affected Software

VendorProductVersion RangeStatus
NuxtNuxt4.0.0 < 4.4.7affected
NuxtNuxt4.4.7unaffected
NuxtNuxt0 < 3.21.7affected
NuxtNuxt3.21.7unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References