CVE-2026-45669

UNKNOWN 0.0

Nuxt: Reflected XSS in `navigateTo()` external redirect

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

19th

Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6.

CWE	CWE-83
Vendor	nuxt
Product	nuxt
Published	Jun 12, 2026
Last Updated	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for nuxt nuxt

Be the first to know when new unknown vulnerabilities affecting nuxt nuxt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nuxt / nuxt

>= 3.4.3, < 3.21.6 >= 4.0.0-alpha.1, < 4.4.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468 github.com: https://github.com/nuxt/nuxt/pull/35052