Description
Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nuxt versions 3.4.3 through 3.21.5 and pre‑4.4.6 generate a server‑side HTML redirect when navigateTo() is called with external: true. The redirect body contains a meta refresh tag whose content attribute is populated with the supplied URL after replacing only double quotes with %22. The characters <, >, &, and ' are left uncoded, permitting a malicious payload to break out of the attribute and inject arbitrary HTML or JavaScript. An attacker who can influence the URL passed to navigateTo(url,{external:true}) can therefore execute code in the context of the application, potentially allowing data theft, session hijacking, or defacement. The weakness is a classic reflected XSS scenario as defined by CWE‑83.

Affected Systems

The vulnerable Nuxt framework comprises multiple major releases. Products affected include Nuxt 3.4.3 up to (but not including) 3.21.6 and Nuxt 4.0.0‑alpha.1 up to (but not including) 4.4.6. The issue has been patched in any release of Nuxt 3.21.6 or later and 4.4.6 or later.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, and the EPSS score is less than 1% meaning exploitation is not likely but possible. The vulnerability is not present in the CISA KEV catalog. Attacks would likely involve a user clicking a crafted link that calls navigateTo with a malicious URL; an attacker can embed scripting in that URL to execute code under the application origin. No elevated privileges or authentication are required beyond the ability to influence the redirect URL.

Generated by OpenCVE AI on June 12, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to version 3.21.6 or later, or 4.4.6 or later, where the redirect sanitization has been fixed
  • If an upgrade is not immediately possible, avoid calling navigateTo with external: true on untrusted URLs; validate or encode the entire URL before passing it into the function
  • If external redirects must be used, implement a server‑side whitelist that restricts redirect destinations to trusted domains and policies that remove or encode hazardous characters

Generated by OpenCVE AI on June 12, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fx6j-w5w5-h468 Nuxt: Reflected XSS in `navigateTo()` external redirect
History

Fri, 12 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt
Nuxt nuxt
Vendors & Products Nuxt
Nuxt nuxt

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.
Title Nuxt: Reflected XSS in `navigateTo()` external redirect
Weaknesses CWE-83
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T14:07:21.725Z

Reserved: 2026-05-12T21:59:25.666Z

Link: CVE-2026-45669

cve-icon Vulnrichment

Updated: 2026-06-12T14:03:45.577Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-12T14:16:31.297

Modified: 2026-06-12T16:01:25.477

Link: CVE-2026-45669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T15:00:09Z

Weaknesses
  • CWE-83

    Improper Neutralization of Script in Attributes in a Web Page