CVE-2026-45669
Undergoing Analysis Undergoing Analysis - In Progress
Cross-Site Scripting via navigateTo in Nuxt.js

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-45669
EUVD
EUVD-2026-36420
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 3.4.3 (inc) to 3.21.6 (exc)
nuxt nuxt From 4.0.0-alpha.1 (inc) to 4.4.6 (exc)
nuxt nuxt to 3.21.6 (inc)
nuxt nuxt to 4.4.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45669 is a reflected Cross-Site Scripting (XSS) vulnerability in the Nuxt.js framework affecting certain versions. It occurs when the navigateTo() function is used with the external: true option, which generates a server-side HTML redirect containing a <meta http-equiv="refresh"> tag.

The destination URL in this redirect is only partially sanitized by replacing double quotes with %22, but leaves other characters like <, >, &, and ' unencoded. This allows an attacker who can control the URL passed to navigateTo() to break out of the content attribute and inject arbitrary HTML or JavaScript.

The injected code executes under the application's origin before the redirect happens, potentially leading to malicious script execution. This vulnerability was patched in Nuxt.js versions 3.21.6 and 4.4.6 by properly encoding HTML-attribute-significant characters in the redirect body.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary HTML or JavaScript code within the context of your web application by manipulating URLs passed to navigateTo(url, { external: true }).

Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions that compromise the confidentiality and integrity of your application and its users.

Exploitation requires user interaction, such as clicking a crafted link, but once triggered, the attacker-controlled script runs before the redirect occurs.

Detection Guidance

This vulnerability can be detected by identifying if your Nuxt.js application uses the navigateTo() function with the external: true option and if it passes user-controlled input to this function, especially via query parameters like ?next= or ?redirect=.

You can look for URLs or requests that include suspicious or crafted parameters that contain characters such as <, >, &, or ' which are not properly encoded and might be used to inject HTML or JavaScript.

A practical approach is to monitor server responses for meta refresh tags containing unencoded HTML-significant characters in the content attribute.

  • Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture HTTP responses and search for meta refresh tags with suspicious content.
  • On the server, grep your codebase or logs for usage of navigateTo() with external: true and check if user input is sanitized.
  • Example command to search code for potentially vulnerable usage: grep -r "navigateTo(.*external: true" ./
  • Example command to check logs for suspicious redirect URLs: grep -E "\?next=|\?redirect=" /path/to/access.log | grep -E "[<>\&']"
Mitigation Strategies

The primary mitigation is to upgrade Nuxt.js to a patched version: 3.21.6 or later, or 4.4.6 or later, where the vulnerability has been fixed by properly encoding HTML-attribute-significant characters in the meta-refresh redirect body.

If upgrading immediately is not possible, apply temporary mitigations by validating and sanitizing any user-controlled URLs passed to navigateTo(url, { external: true }).

  • Reject or sanitize inputs containing characters like < or > before passing them to navigateTo.
  • Normalize URLs using JavaScript's URL constructor, e.g., new URL(input).toString(), to ensure only valid URLs are accepted.
  • Avoid passing raw user input directly to navigateTo with external: true without validation.
Compliance Impact

The vulnerability in Nuxt.js (CVE-2026-45669) is a reflected Cross-Site Scripting (XSS) issue that allows attackers to inject arbitrary HTML or JavaScript into server-side redirect responses. This can lead to execution of malicious scripts within the application's origin, potentially compromising the confidentiality and integrity of user data.

Such a vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Exploitation of this XSS vulnerability could lead to unauthorized access or disclosure of sensitive data, thereby violating these regulations' requirements for data security and privacy.

Mitigations include patching to versions 3.21.6 and 4.4.6 or later, proper input validation, and sanitization to prevent injection attacks, which are necessary steps to maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart