CVE-2026-45669
Analyzed Analyzed - Analysis Complete

Cross-Site Scripting via navigateTo in Nuxt.js

Vulnerability report for CVE-2026-45669, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 3.4.3 (inc) to 3.21.6 (exc)
nuxt nuxt From 4.0.0 (inc) to 4.4.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45669 is a reflected Cross-Site Scripting (XSS) vulnerability in the Nuxt.js framework affecting certain versions. It occurs when the navigateTo() function is used with the external: true option, which generates a server-side HTML redirect containing a <meta http-equiv="refresh"> tag.

The destination URL in this redirect is only partially sanitized by replacing double quotes with %22, but leaves other characters like <, >, &, and ' unencoded. This allows an attacker who can control the URL passed to navigateTo() to break out of the content attribute and inject arbitrary HTML or JavaScript.

The injected code executes under the application's origin before the redirect happens, potentially leading to malicious script execution. This vulnerability was patched in Nuxt.js versions 3.21.6 and 4.4.6 by properly encoding HTML-attribute-significant characters in the redirect body.

Compliance Impact

The vulnerability in Nuxt.js (CVE-2026-45669) is a reflected Cross-Site Scripting (XSS) issue that allows attackers to inject arbitrary HTML or JavaScript into server-side redirect responses. This can lead to execution of malicious scripts within the application's origin, potentially compromising the confidentiality and integrity of user data.

Such a vulnerability can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Exploitation of this XSS vulnerability could lead to unauthorized access or disclosure of sensitive data, thereby violating these regulations' requirements for data security and privacy.

Mitigations include patching to versions 3.21.6 and 4.4.6 or later, proper input validation, and sanitization to prevent injection attacks, which are necessary steps to maintain compliance with these standards.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary HTML or JavaScript code within the context of your web application by manipulating URLs passed to navigateTo(url, { external: true }).

Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions that compromise the confidentiality and integrity of your application and its users.

Exploitation requires user interaction, such as clicking a crafted link, but once triggered, the attacker-controlled script runs before the redirect occurs.

Detection Guidance

This vulnerability can be detected by identifying if your Nuxt.js application uses the navigateTo() function with the external: true option and if it passes user-controlled input to this function, especially via query parameters like ?next= or ?redirect=.

You can look for URLs or requests that include suspicious or crafted parameters that contain characters such as <, >, &, or ' which are not properly encoded and might be used to inject HTML or JavaScript.

A practical approach is to monitor server responses for meta refresh tags containing unencoded HTML-significant characters in the content attribute.

  • Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture HTTP responses and search for meta refresh tags with suspicious content.
  • On the server, grep your codebase or logs for usage of navigateTo() with external: true and check if user input is sanitized.
  • Example command to search code for potentially vulnerable usage: grep -r "navigateTo(.*external: true" ./
  • Example command to check logs for suspicious redirect URLs: grep -E "\?next=|\?redirect=" /path/to/access.log | grep -E "[<>\&']"
Mitigation Strategies

The primary mitigation is to upgrade Nuxt.js to a patched version: 3.21.6 or later, or 4.4.6 or later, where the vulnerability has been fixed by properly encoding HTML-attribute-significant characters in the meta-refresh redirect body.

If upgrading immediately is not possible, apply temporary mitigations by validating and sanitizing any user-controlled URLs passed to navigateTo(url, { external: true }).

  • Reject or sanitize inputs containing characters like < or > before passing them to navigateTo.
  • Normalize URLs using JavaScript's URL constructor, e.g., new URL(input).toString(), to ensure only valid URLs are accepted.
  • Avoid passing raw user input directly to navigateTo with external: true without validation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart