Nuxt — CVE history (npm)

Nuxt

22 CVEs affect the Nuxt npm package (highest CVSS 9.8). Latest disclosed: 2026-06-23. Full CVE history sourced from NVD.

Summary

Package
Nuxt (npm)
Total CVEs
22
Actively exploited (CISA KEV)
0
Highest CVSS
9.8
Latest disclosed
2026-06-23

Recent CVEs (top 20)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-56301Medium5.52026-06-23Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumera…
CVE-2026-56698Medium6.12026-06-22Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution.
CVE-2026-56697Medium6.12026-06-22Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protoco…
CVE-2026-56326Medium6.12026-06-22Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com.
CVE-2026-56317Medium6.12026-06-20Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping.
CVE-2026-53722Medium5.42026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2026-53721High8.22026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2026-49993Medium5.72026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2026-47200Medium5.32026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2026-46342Medium5.42026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2026-45670Medium5.42026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2026-45669Medium5.42026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2025-59414Low3.12025-09-17Nuxt is an open-source web development framework for Vue.js.
CVE-2025-27415High7.52025-03-19Nuxt is an open-source web development framework for Vue.js.
CVE-2025-24361Medium5.32025-01-25Nuxt is an open-source web development framework for Vue.js.
CVE-2025-24360Medium5.32025-01-25Nuxt is an open-source web development framework for Vue.js.
CVE-2024-42352High8.62024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2024-34344High8.82024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2024-34343Medium6.32024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2024-23657High8.82024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2023-3224Critical9.82023-06-13Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3.
CVE-2024-34344High8.82024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2024-23657High8.82024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2024-42352High8.62024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2026-53721High8.22026-06-12Nuxt is an open-source web development framework for Vue.js.
CVE-2025-27415High7.52025-03-19Nuxt is an open-source web development framework for Vue.js.
CVE-2024-34343Medium6.32024-08-05Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js.
CVE-2026-56698Medium6.12026-06-22Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution.
CVE-2026-56697Medium6.12026-06-22Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protoco…
CVE-2026-56326Medium6.12026-06-22Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com.