Nuxt — CVE history (npm)
Nuxt
22 CVEs affect the Nuxt npm package (highest CVSS 9.8). Latest disclosed: 2026-06-23. Full CVE history sourced from NVD.
Summary
- Package
Nuxt(npm)- Total CVEs
22- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2026-06-23
Recent CVEs (top 20)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-56301 | Medium | 5.5 | — | 2026-06-23 | Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumera… |
CVE-2026-56698 | Medium | 6.1 | — | 2026-06-22 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. |
CVE-2026-56697 | Medium | 6.1 | — | 2026-06-22 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protoco… |
CVE-2026-56326 | Medium | 6.1 | — | 2026-06-22 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. |
CVE-2026-56317 | Medium | 6.1 | — | 2026-06-20 | Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. |
CVE-2026-53722 | Medium | 5.4 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2026-53721 | High | 8.2 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2026-49993 | Medium | 5.7 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2026-47200 | Medium | 5.3 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2026-46342 | Medium | 5.4 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2026-45670 | Medium | 5.4 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2026-45669 | Medium | 5.4 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2025-59414 | Low | 3.1 | — | 2025-09-17 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2025-27415 | High | 7.5 | — | 2025-03-19 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2025-24361 | Medium | 5.3 | — | 2025-01-25 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2025-24360 | Medium | 5.3 | — | 2025-01-25 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2024-42352 | High | 8.6 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2024-34344 | High | 8.8 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2024-34343 | Medium | 6.3 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2024-23657 | High | 8.8 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-3224 | Critical | 9.8 | — | 2023-06-13 | Code Injection in GitHub repository nuxt/nuxt prior to 3.5.3. |
CVE-2024-34344 | High | 8.8 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2024-23657 | High | 8.8 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2024-42352 | High | 8.6 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2026-53721 | High | 8.2 | — | 2026-06-12 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2025-27415 | High | 7.5 | — | 2025-03-19 | Nuxt is an open-source web development framework for Vue.js. |
CVE-2024-34343 | Medium | 6.3 | — | 2024-08-05 | Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. |
CVE-2026-56698 | Medium | 6.1 | — | 2026-06-22 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. |
CVE-2026-56697 | Medium | 6.1 | — | 2026-06-22 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protoco… |
CVE-2026-56326 | Medium | 6.1 | — | 2026-06-22 | Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. |