CVE Catalog

CVE-2026-53722

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

The Nuxt framework prior to versions 3.21.7 and 4.4.7 did not validate the URL scheme for values bound to the to or href attributes of the <NuxtLink> component. This allows attackers to inject malicious scripts, leading to reflected XSS attacks.

Risk Assessment

Organizations may be exposed to XSS attacks that could result in user data theft or session hijacking. Exploiting this vulnerability may also lead to phishing scams.

Recommendation

It is recommended to update the Nuxt framework to versions 3.21.7 or 4.4.7 to mitigate this vulnerability. Additionally, conduct an audit of the application to identify potential injection points for malicious URLs.

Original NVD description (English source)

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS