CVE-2026-45669
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
Nuxt is a web development framework that in versions from 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 has an issue with the navigateTo() function. Using external: true generates an HTML redirect with a <meta http-equiv="refresh"> tag, allowing for injection of malicious code.
Risk Assessment
Attackers can exploit this vulnerability to inject arbitrary HTML/JavaScript, potentially leading to application takeover and user data theft.
Recommendation
It is recommended to upgrade to versions 3.21.6 or 4.4.6 to eliminate this vulnerability and secure the application against potential attacks.
Original NVD description (English source)
Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

