XSS in Nuxt

CVE-2026-56317

Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted d…

Vulnerability class: XSS (Cross-Site Scripting)

Affected products

Nuxt — versions 4.0.0, 4.4.7, 0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

disclosure@vulncheck.com (vendor-advisory)
disclosure@vulncheck.com (patch)
disclosure@vulncheck.com (patch)
disclosure@vulncheck.com (third-party-advisory)