CVE-2026-56697
Received Received - Intake
Protocol-Relative Path Redirect in Nuxt.js

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulnCheck

Description
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56697
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nuxt nuxt to 4.4.7 (exc)
nuxt nuxt to 3.21.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7. The reloadNuxtApp function accepts protocol-relative paths such as //evil.com. These paths bypass the script-protocol check but resolve to a cross-origin URL based on the current page's protocol.

Attackers can exploit this by injecting such paths to redirect users to attacker-controlled hosts.

This enables phishing attacks and the theft of OAuth authorization codes.

Impact Analysis

The vulnerability can lead to users being redirected to malicious websites controlled by attackers.

This can facilitate phishing attacks where users may be tricked into revealing sensitive information.

Additionally, attackers can steal OAuth authorization codes, potentially compromising user accounts and access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart