PatchSiren cyber security CVE debrief
CVE-2026-47200 nuxt CVE debrief
CVE-2026-47200 is a vulnerability in Nuxt, an open-source web development framework for Vue.js. Versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.
- Vendor
- nuxt
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-13
Who should care
Developers using Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 should be aware of this vulnerability and take steps to upgrade to a patched version.
Technical summary
The vulnerability allows for unauthorized access to page components, potentially leading to security issues. The CVSS score for this vulnerability is 6.3, indicating a medium severity.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Nuxt version 3.21.6 or later
- Upgrade to Nuxt version 4.4.6 or later
Evidence notes
CVE-2026-47200 has been patched in versions 3.21.6 and 4.4.6. For more information, see [ref-4](https://github.com/nuxt/nuxt/pull/35092) and [ref-5](https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj).
Official resources
CVE-2026-47200 was published on 2026-06-12T14:16:32.137Z and modified on 2026-06-13T04:17:31.633Z.