Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
References
| Link | Resource |
|---|---|
| https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e | Patch |
| https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e | Patch |
| https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m | Mitigation Patch Vendor Advisory |
| https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content | Patch Third Party Advisory |
Configurations
History
23 Jun 2026, 17:44
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:* | |
| First Time |
Nuxt nuxt
Nuxt |
|
| References | () https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e - Patch | |
| References | () https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e - Patch | |
| References | () https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m - Mitigation, Patch, Vendor Advisory | |
| References | () https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content - Patch, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
20 Jun 2026, 16:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-20 16:17
Updated : 2026-06-23 17:44
NVD link : CVE-2026-56317
Mitre link : CVE-2026-56317
CVE.ORG link : CVE-2026-56317
JSON object : View
Products Affected
nuxt
- nuxt
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')