CVE-2026-53722
Undergoing Analysis Undergoing Analysis - In Progress
Reflected DOM XSS in Nuxt.js via NuxtLink

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-53722
EUVD
EUVD-2026-36428
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nuxt nuxt to 3.21.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53722 is a reflected DOM-based cross-site scripting (XSS) vulnerability in the Nuxt.js framework, specifically in the <NuxtLink> component. Before versions 3.21.7 and 4.4.7, the component did not validate the URL scheme of values bound to its to or href props. This allowed attackers to supply malicious URLs using script-capable protocols like javascript: or vbscript: which were then rendered verbatim into the href attribute of anchor elements.

When a user clicks such a malicious link, the supplied script executes in the origin of the Nuxt application, enabling reflected XSS attacks. Additionally, data:text/html payloads could be used for same-tab phishing attacks anchored to legitimate application links. The vulnerability also affected consumers of the component's custom slot that re-bind href and route.href values.

The root cause was improper validation of external URLs, which failed to reject dangerous protocols. The issue was fixed by introducing a sanitization function that rejects script-capable protocols and handles edge cases like whitespace, control characters, and recursive protocols.

Impact Analysis

This vulnerability can lead to reflected DOM-based cross-site scripting attacks, allowing attackers to execute arbitrary scripts in the context of your Nuxt application.

  • Execution of malicious scripts can result in session theft.
  • Attackers may steal CSRF tokens.
  • It can lead to account takeover or credential harvesting.
  • Phishing attacks can be mounted using data:text/html payloads anchored to legitimate links.
Detection Guidance

This vulnerability involves the injection of malicious URLs with script-capable protocols such as javascript:, vbscript:, or data: into the href attribute of NuxtLink components. Detection involves identifying such unsafe URLs being rendered or used in your Nuxt application.

You can detect potential exploitation by searching your application code or logs for usage of <NuxtLink> components binding user-controlled input to the to or href props without validation.

On the system or network level, you can scan HTTP requests and responses for URLs containing suspicious protocols like javascript:, vbscript:, or data: in query parameters or user inputs.

  • Use grep or similar tools to search your codebase for <NuxtLink> usage with dynamic href or to props, e.g., `grep -r "<NuxtLink" ./`.
  • Inspect logs or captured HTTP traffic for suspicious URLs using commands like `grep -E "(javascript:|vbscript:|data:)" access.log`.
  • Use browser developer tools or automated scanners to detect reflected script-capable URLs in rendered pages.
Mitigation Strategies

The primary mitigation is to upgrade Nuxt to versions 3.21.7 or 4.4.7 or later, where the vulnerability has been patched.

The fix sanitizes the href attribute in <NuxtLink> by rejecting script-capable protocols and unsafe URLs, preventing navigation to malicious scripts.

As an immediate workaround, validate and sanitize any user-controlled input before binding it to the to or href props of <NuxtLink> components to ensure no script-capable protocols are included.

Avoid binding untrusted data directly to these props without proper validation.

Monitor your application for any suspicious links or behaviors and disable or remove any unsafe links until the patch can be applied.

Compliance Impact

The vulnerability in Nuxt's <NuxtLink> component allows reflected DOM-based cross-site scripting (XSS) attacks by injecting malicious script-capable URLs. Such XSS vulnerabilities can lead to session theft, CSRF token theft, account takeover, or credential harvesting.

These security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Exploitation of this vulnerability could result in unauthorized access to sensitive data, potentially violating these regulations.

Therefore, failure to patch this vulnerability or mitigate its risks may lead to non-compliance with data protection and security requirements mandated by such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart