Nuxt, Multiple Vulnerabilities, CVE-2026-45669 (Medium) -DC-Jun2026-460

Listen to this Post

How CVE-2026-45669 Works

CVE-2026-45669 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in the Nuxt.js framework. It arises from improper handling of user-controlled URLs when the `navigateTo()` function is called with the `external: true` option.
The root cause lies in the way Nuxt generates server-side HTML redirects. When `navigateTo(url, { external: true })` is used, the framework constructs a redirect page containing a `` tag. The destination URL is embedded within the `content` attribute of this tag. While the `Location` header is properly sanitized using encodeURL(), the HTML body uses a much weaker sanitizer that only replaces double quotes (") with %22. This leaves other critical characters—<, >, &, and '—completely unencoded.
An attacker who can control the URL passed to `navigateTo(url, { external: true })` can exploit this discrepancy. By injecting a payload with a `>` character, they can break out of the `content=”…”` attribute. Subsequent HTML or JavaScript code, such as <img src=x onerror=alert(document.domain)>, will then be parsed and executed within the application’s origin.
This vulnerability is typically triggered through a `?next=` or `?redirect=` query parameter, which is commonly used for post-login redirects. An attacker can craft a malicious link containing the payload. When a victim clicks this link, the server generates the vulnerable redirect page, and the injected script executes immediately in the victim’s browser before any redirect takes place.
The impact is significant, as it allows for reflected XSS attacks, potentially leading to session hijacking, credential theft, and other malicious activities. The vulnerability affects Nuxt versions from 3.4.3 to before 3.21.6, and from 4.0.0-alpha.1 to before 4.4.6. It was patched in versions 3.21.6 and 4.4.6.

DailyCVE Form:

Platform: Nuxt.js
Version: <3.21.6, <4.4.6
Vulnerability: Reflected XSS
Severity: Medium (CVSS 6.1)
date: 2026-05-19

Prediction: 2026-05-19 (Patched)

What Undercode Say:

Analytics of the vulnerability reveals a critical discrepancy in sanitization logic. The framework uses different methods for sanitizing the `Location` header and the HTML meta-refresh body, creating an exploitable gap.

Proof of Concept (PoC):

A global middleware that forwards a query parameter to navigateTo:

// middleware/redirect.global.ts
export default defineNuxtRouteMiddleware((to) => {
const next = to.query.next as string | undefined
if (next) {
return navigateTo(next, { external: true })
}
})

A malicious request:

GET /?next=https://evil.example/x><img src=x onerror=alert(document.domain)>

The resulting vulnerable response body:

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="0; url=https://evil.example/x><img src=x onerror=alert(document.domain)>">
</head>
</html>

The `>` character terminates the `content` attribute, and the `` tag executes JavaScript in the application’s origin.

Exploit:

An attacker can exploit this vulnerability by crafting a URL with a malicious payload and tricking a user into clicking it. The attack is remote, requires low complexity, and does not need any privileges. The injected script executes in the context of the vulnerable application’s origin, allowing the attacker to steal session cookies, perform actions on behalf of the user, or deface the page.

Example Attack Vector:

https://vulnerable-app.com/login?next=https://evil.com/x><script>alert('XSS')</script>

Protection:

  • Immediate Update: Upgrade to Nuxt version `3.21.6` or `4.4.6` or later, which contain the official fix. The patch properly percent-encodes all HTML-attribute-significant characters (&, ", ', <, >).
  • Input Validation: If an immediate upgrade is not possible, validate all user-controlled URLs before passing them to navigateTo(url, { external: true }). At a minimum, normalize the URL using `new URL(input).toString()` and reject any input containing `<` or `>` characters.
  • Allow-listing: Implement an allow-list of trusted domains or paths for redirect targets, rejecting any URL that does not match the list.

Impact:

  • Reflected Cross-Site Scripting (XSS): An attacker can inject and execute arbitrary JavaScript code in a victim’s browser.
  • Session Hijacking: The executed script can steal session cookies, allowing the attacker to impersonate the victim.
  • Credential Theft: The attacker could present fake login forms to capture user credentials.
  • Phishing and Malware Distribution: Users can be redirected to malicious websites.
  • Data Exfiltration: The script can access and send sensitive data from the page to attacker-controlled servers.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top