CVE-2026-46342

UNKNOWN 0.0

Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

CWE	CWE-79 CWE-349 CWE-444
Vendor	nuxt
Product	nuxt
Published	Jun 12, 2026
Last Updated	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for nuxt nuxt

Be the first to know when new unknown vulnerabilities affecting nuxt nuxt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nuxt / nuxt

>= 3.1.0, < 3.21.6 >= 4.0.0-alpha.1, < 4.4.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v github.com: https://github.com/nuxt/nuxt/pull/35077