CVE-2026-47200

UNKNOWN 0.0

Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6.

CWE	CWE-284 CWE-288
Vendor	nuxt
Product	nuxt
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for nuxt nuxt

Be the first to know when new unknown vulnerabilities affecting nuxt nuxt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nuxt / nuxt

>= 3.11.0, < 3.21.6 >= 4.0.0-alpha.1, < 4.4.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nuxt/nuxt/security/advisories/GHSA-hg3f-28rg-4jxj github.com: https://github.com/nuxt/nuxt/pull/35092