CVE-2026-46342
Analyzed
Analyzed - Analysis Complete
Server-Side Request Forgery in Nuxt.js Framework
Vulnerability report for CVE-2026-46342, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-12
Last updated on: 2026-06-15
Assigner: GitHub, Inc.
Description
Description
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuxt | nuxt | From 3.1.0 (inc) to 3.21.6 (exc) |
| nuxt | nuxt | From 4.0.0 (inc) to 4.4.5 (exc) |
| nuxt | nuxt/nitro-server | From 3.20.0 (inc) to 3.21.6 (exc) |
| nuxt | nuxt/nitro-server | From 4.2.0 (inc) to 4.4.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-349 | The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |