Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Nuxt — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting Nuxt. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Nuxt is a Vue.js framework for building server-side rendered applications, commonly used for creating performant web experiences. Historically, it has been susceptible to cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities, often through improper input handling or insecure template rendering. While no major public security incidents have been widely reported, the 12 documented CVEs highlight potential risks in areas like dependency management and configuration handling. Developers should implement strict input validation, keep dependencies updated, and follow secure coding practices to mitigate these risks, as the framework's complexity increases potential attack surfaces.

CVE IDTitleCVSSSeverityPublished
CVE-2026-56301 Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux — NuxtCWE-276 5.5 Medium2026-06-23
CVE-2026-56698 Nuxt - Cross-Site Scripting via navigateTo open Option — NuxtCWE-79 6.1 Medium2026-06-22
CVE-2026-56697 Nuxt - Open Redirect via Protocol-Relative Paths in reloadNuxtApp — NuxtCWE-601 6.1 Medium2026-06-22
CVE-2026-56326 Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo — NuxtCWE-601 6.1 Medium2026-06-22
CVE-2026-56317 Nuxt - Cross-Site Scripting via NoScript Component Slot Content — NuxtCWE-79--2026-06-20
CVE-2026-53722 Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL — nuxtCWE-79--2026-06-12
CVE-2026-53721 Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher — nuxtCWE-178--2026-06-12
CVE-2026-47200 Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` — nuxtCWE-284--2026-06-12
CVE-2026-49993 @nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g) — nuxtCWE-749--2026-06-12
CVE-2026-45669 Nuxt: Reflected XSS in `navigateTo()` external redirect — nuxtCWE-83--2026-06-12
CVE-2026-45670 Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) — nuxtCWE-749--2026-06-12
CVE-2026-46342 Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning — nuxtCWE-79--2026-06-12
CVE-2025-59414 Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival — nuxtCWE-22 3.1 Low2025-09-17
CVE-2025-27415 Nuxt allows DOS via cache poisoning with payload rendering response — nuxtCWE-349 7.5 High2025-03-19
CVE-2025-24361 Opening a malicious website while running a Nuxt dev server could allow read-only access to code — nuxtCWE-749 5.3 Medium2025-01-25
CVE-2025-24360 Opening a malicious website while running a Nuxt dev server could allow read-only access to code — nuxtCWE-200 5.3 Medium2025-01-25
CVE-2024-42352 Server-Side Request Forgery (SSRF) in nuxt-icon — iconCWE-918 8.6 High2024-08-05
CVE-2024-34344 Remote code execution via the browser when running the test locally in nuxt — nuxtCWE-94 8.8 High2024-08-05
CVE-2024-34343 Cross-site Scripting (XSS) in navigateTo if used after SSR in nuxt — nuxtCWE-79 6.3 Medium2024-08-05
CVE-2024-23657 Path Traversal: '../filedir' in Nuxt Devtools — nuxtCWE-22 8.8 High2024-08-05
CVE-2023-3224 Code Injection in nuxt/nuxt — nuxt/nuxtCWE-94 8.6 -2023-06-13
CVE-2023-0878 Cross-site Scripting (XSS) - Generic in nuxt/framework — nuxt/frameworkCWE-79 6.1 -2023-02-17
CVE-2022-4413 Cross-site Scripting (XSS) - Reflected in nuxt/framework — nuxt/frameworkCWE-79 6.1 -2022-12-11
CVE-2022-4414 Cross-site Scripting (XSS) - DOM in nuxt/framework — nuxt/frameworkCWE-79 6.1 -2022-12-11

This page lists every published CVE security advisory associated with Nuxt. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.