PatchSiren cyber security CVE debrief
CVE-2026-49993 nuxt CVE debrief
CVE-2026-49993 is a MEDIUM severity vulnerability in @nuxt/rspack-builder and @nuxt/webpack-builder. An incomplete fix for GHSA-6m52-m754-pw2g allows source code to be stolen during development when the dev server is bound to a non-loopback address and a malicious site is opened on the same network.
- Vendor
- nuxt
- Product
- Unknown
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers using @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7 should be aware of this vulnerability.
Technical summary
The vulnerability is caused by an incomplete fix for GHSA-6m52-m754-pw2g. When the dev server is bound to a non-loopback address (e.g., nuxt dev --host) and a developer opens a malicious site on the same network, source code may still be stolen.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to versions 3.21.7 or 4.4.7 or later.
- Bind the dev server to a loopback address.
Evidence notes
CVE-2026-49993 has a CVSS score of 5.9 and is classified as MEDIUM severity.
Official resources
CVE-2026-49993 was published on 2026-06-12T14:16:32.650Z and modified on 2026-06-12T16:01:25.477Z.