CVE-2026-56698
Analyzed Analyzed - Analysis Complete

Nuxt navigateTo JavaScript URL Client-Side Script Execution

Vulnerability report for CVE-2026-56698, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: VulnCheck

Description

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when user-controlled input is passed to navigateTo.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 4.0.0 (inc) to 4.4.7 (exc)
nuxt nuxt From 3.0.0 (inc) to 3.21.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7. It occurs because these versions fail to properly validate script-capable URLs in the navigateTo open option. As a result, attackers can supply javascript: URLs through the open parameter, which leads to the execution of arbitrary client-side scripts within the application's origin when user-controlled input is passed to navigateTo.

Impact Analysis

The vulnerability allows attackers to execute arbitrary client-side scripts in the context of the affected application. This can lead to various security issues such as cross-site scripting (XSS), which may result in data theft, session hijacking, or unauthorized actions performed on behalf of the user.

Compliance Impact

The vulnerability allows client-side script execution via the navigateTo function's open option by accepting script-capable URLs such as javascript:. This can lead to Cross-Site Scripting (XSS) attacks, which may result in unauthorized access to user data or session information.

Such unauthorized access or data exposure could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or breaches.

However, the provided information does not explicitly detail the direct compliance implications or specific regulatory impacts of this vulnerability.

Detection Guidance

This vulnerability can be detected by identifying if your Nuxt application is using vulnerable versions (4.0.0 before 4.4.7 or 3.x before 3.21.7) and if it improperly allows script-capable URLs in the navigateTo function's open option.

To detect exploitation attempts on your system or network, you can monitor for usage of the navigateTo function with the open parameter containing URLs starting with "javascript:", "data:", or "vbscript:" protocols.

While no specific commands are provided in the resources, you can use web application logs or network traffic inspection tools to search for requests or client-side navigation attempts containing these suspicious URL schemes.

  • Search application logs or network captures for URLs or parameters containing "javascript:" or other script-capable protocols in the navigateTo open option.
  • Use browser developer tools or automated scanners to test if the application allows navigation to script-capable URLs via the navigateTo open option.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade Nuxt to a patched version: 4.4.7 or later for the 4.x branch, or 3.21.7 or later for the 3.x branch.

These versions include a fix that blocks unsafe protocols such as "javascript:", "data:", and "vbscript:" in the navigateTo function's open option, preventing client-side script execution.

If upgrading is not immediately possible, consider implementing input validation or sanitization to prevent user-controlled input from passing script-capable URLs to navigateTo.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart