PatchSiren cyber security CVE debrief
CVE-2026-45669 nuxt CVE debrief
CVE-2026-45669 is a vulnerability in the Nuxt open-source web development framework for Vue.js. Versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 are affected. The navigateTo() function with external: true generates a server-side HTML redirect body containing a <meta http-equiv='refresh'> tag. The destination URL is only sanitized by replacing ' with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content='…' attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.
- Vendor
- nuxt
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers using Nuxt versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 should be aware of this vulnerability.
Technical summary
The vulnerability arises from the navigateTo() function in Nuxt, which generates a server-side HTML redirect body with a <meta http-equiv='refresh'> tag. The destination URL is not properly sanitized, allowing an attacker to inject arbitrary HTML/JavaScript.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to Nuxt version 3.21.6 or later
- Update to Nuxt version 4.4.6 or later
Evidence notes
CVE-2026-45669 has a CVSS score of 5.3 and is classified as MEDIUM severity.
Official resources
CVE-2026-45669 was published on 2026-06-12T14:16:31.297Z and modified on 2026-06-12T16:01:25.477Z.