Description
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Published: 2026-06-20
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the NoScript component of Nuxt, where content supplied to a component slot is written directly to innerHTML without any escaping. An attacker can inject malicious HTML or script fragments into untrusted data that reaches the slot—for example, via query parameters. When the noscript tag is closed by injected script tags, the payload runs with the privileges of the web page, potentially stealing cookies, session data, or performing actions on behalf of the user.

Affected Systems

Nuxt users running the community edition of Nuxt before version 4.4.7 or any 3.x release prior to 3.21.7 are susceptible. These versions are contained on the Nuxt CPE namespace associated with node.js deployments. Updated releases above these thresholds include the patch that properly escapes slot content.

Risk and Exploitability

The CVSS score of 2.3 reflects only a low‑severity impact; the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector requires that an attacker can craft a request containing malicious content that ends up in a NoScript slot, which is a typical web‑attack scenario. Given the low score, the likelihood of widespread exploitation is low, but the potential for an XSS attack remains if the application accepts user input into the NoScript slot.

Generated by OpenCVE AI on June 20, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to version 4.4.7 or newer, or 3.21.7 or newer if using the 3.x branch
  • Validate and sanitize any data passed to NoScript component slots before rendering
  • Implement a Content Security Policy that restricts inline scripts and blocks execution of scripts from unknown sources

Generated by OpenCVE AI on June 20, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Title Nuxt - Cross-Site Scripting via NoScript Component Slot Content
First Time appeared Nuxt
Nuxt nuxt
Weaknesses CWE-79
CPEs cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt
Nuxt nuxt
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nuxt Nuxt
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:21:56.449Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56317

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:45:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')