PatchSiren cyber security CVE debrief
CVE-2026-46342 nuxt CVE debrief
CVE-2026-46342 is a vulnerability in Nuxt, an open-source web development framework for Vue.js. The vulnerability affects Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6. The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, allowing the same path to return materially different responses depending on the query.
- Vendor
- nuxt
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers and administrators using Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, as well as @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 should be aware of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 2.3 and a severity of LOW. It was published on 2026-06-12T14:16:31.590Z and modified on 2026-06-12T16:01:25.477Z. The vulnerability is related to CWE-79, CWE-349, and CWE-444.
Defensive priority
LOW
Recommended defensive actions
- Update Nuxt to version 3.21.6 or later
- Update @nuxt/nitro-server to version 3.21.6 or later
- Update Nuxt to version 4.4.6 or later
- Update @nuxt/nitro-server to version 4.4.6 or later
Evidence notes
The vulnerability was patched in versions 3.21.6 and 4.4.6.
Official resources
CVE-2026-46342 was published on 2026-06-12T14:16:31.590Z and modified on 2026-06-12T16:01:25.477Z.