CVE-2026-46342
Description
Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (_.json) was actually issued for those inputs by . The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nuxtnpm | >= 3.1.0, < 3.21.6 | 3.21.6 |
nuxtnpm | >= 4.0.0-alpha.1, < 4.4.6 | 4.4.6 |
@nuxt/nitro-servernpm | >= 3.20.0, < 3.21.6 | 3.21.6 |
@nuxt/nitro-servernpm | >= 4.2.0, < 4.4.6 | 4.4.6 |
Affected products
1Patches
Vulnerability mechanics
References
4- github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7vnvdMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-g8wj-3cr3-6w7vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-46342ghsaADVISORY
- github.com/nuxt/nuxt/pull/35077nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.