CVE-2026-34405
HTML Attribute Injection in Nuxt OG Image Component Before
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuxt | og_image | to 6.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Nuxt OG Image component, which generates Open Graph images using Vue templates in Nuxt. Prior to version 6.2.5, the image-generation endpoint (/_og/d/ and older versions /og-image/) allows an attacker to inject arbitrary attributes into the HTML page body. This means that malicious input can manipulate the HTML content generated by the component.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject arbitrary attributes into the HTML body of the generated Open Graph images. This could lead to security issues such as cross-site scripting (XSS) or manipulation of the page content, potentially compromising the integrity and security of your web application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Nuxt OG Image component to version 6.2.5 or later, where the issue has been patched.