CVE-2026-44589
nuxt-og-image SSRF โ bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
CVSS Score
3.7
EPSS Score
0.0%
EPSS Percentile
0th
Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in [email protected] to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validation. This vulnerability is fixed in 6.4.9.
| CWE | CWE-918 |
| Vendor | nuxt-modules |
| Product | og-image |
| Published | May 14, 2026 |
| Last Updated | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for nuxt-modules og-image
Be the first to know when new low vulnerabilities affecting nuxt-modules og-image are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
nuxt-modules / og-image
>= 6.2.5, < 6.4.9