Description
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nuxt versions prior to 4.4.7 and 3.21.7 do not validate script‑capable URLs supplied to the navigateTo open option, permitting attackers to inject javascript: links. When an attacker supplies a client‑controlled URL containing a javascript: scheme, the browser will execute the payload in the context of the application’s origin. This grants the attacker the ability to read and modify data within the web application, leading to theft of sensitive information, session hijacking, or defacement. The weakness is a classic reflected XSS flaw as identified by CWE‑79.

Affected Systems

Nuxt applications using 4.0.0 through 4.4.6, and any 3.x release earlier than 3.21.7, remain vulnerable. The issue affects all Nuxt deployments that rely on navigateTo with the open option if they do not validate the input respectively. The vulnerability does not extend to Nuxt 4.4.7+ or 3.21.7+ where the validation has been implemented, or to projects that have removed the open option from their navigation logic.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as medium severity, indicating that while exploitation is feasible, it does not provide remote code execution. The EPSS score is not available, so no estimate of current exploitation probability can be provided, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to supply a crafted javascript: URL through the open parameter, typically via a user‑controllable input such as a query string or form field. If the application renders that URL or otherwise trusts it, the payload will run in the victim’s browser, allowing data exfiltration and other malicious actions. The risk is heightened if the application uses navigateTo with open for external links without proper validation.

Generated by OpenCVE AI on June 22, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuxt to version 4.4.7 or later, or to 3.21.7 or later, which includes proper validation of script‑capable URLs.
  • Validate or whitelist URLs before passing them to navigateTo, rejecting any javascript:, data:, or other script‑scheme URLs.
  • If navigateTo open option is unnecessary, remove its usage or disable it in the client code to eliminate the attack vector.

Generated by OpenCVE AI on June 22, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Nuxt nuxt
Vendors & Products Nuxt nuxt

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.
Title Nuxt - Cross-Site Scripting via navigateTo open Option
First Time appeared Nuxt
Nuxt og Image
Weaknesses CWE-79
CPEs cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt
Nuxt og Image
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T15:05:45.501Z

Reserved: 2026-06-22T17:09:16.556Z

Link: CVE-2026-56698

cve-icon Vulnrichment

Updated: 2026-06-23T14:55:54.216Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T01:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')