PatchSiren cyber security CVE debrief
CVE-2026-45670 nuxt CVE debrief
A vulnerability was found in @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6. This issue is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during development when using the webpack / rspack builder if the development server is bound to a non-loopback address (e.g., `nuxt dev --host`) and the developer opens a malicious site on the same network.
- Vendor
- nuxt
- Product
- Unknown
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers using @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6 should be aware of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. It was published on 2026-06-12T14:16:31.443Z and modified on 2026-06-12T16:01:25.477Z.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to versions 3.21.6 or 4.4.6 or later.
Evidence notes
The vulnerability was patched in versions 3.21.6 and 4.4.6.
Official resources
Public