PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53722 nuxt CVE debrief

CVE-2026-53722 is a reflected DOM-based cross-site scripting vulnerability in the Nuxt open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, the <NuxtLink> component did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. This allows an attacker to supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. The vulnerability has been patched in versions 3.21.7 and 4.4.7.

Vendor
nuxt
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Developers and users of the Nuxt open-source web development framework for Vue.js, especially those who bind attacker-controlled input to <NuxtLink :to> or :href.

Technical summary

The <NuxtLink> component in Nuxt did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. This allows an attacker to supply a malicious URL that is reflected verbatim into the rendered markup, leading to reflected DOM-based cross-site scripting.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to Nuxt versions 3.21.7 or 4.4.7 or later.
  • Validate and sanitize user-supplied input bound to <NuxtLink :to> or :href.
  • Use a Content Security Policy (CSP) to restrict the types of scripts that can be executed on your application.

Evidence notes

CVE-2026-53722 has a CVSS score of 5.1 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-12T15:16:31.427Z and modified on 2026-06-12T16:01:25.477Z.

Official resources

CVE-2026-53722 was published on 2026-06-12T15:16:31.427Z and modified on 2026-06-12T16:01:25.477Z.