CVE-2026-46342

CVE Database · CVE-2026-46342

CVE-2026-46342

· MEDIUMAnalyzed

CVSS v3.1

5.4

CVSS v4.0

2.3

EPSS

0.09%

Published

Jun 12, 2026

Modified

Jun 15, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79CWE-349CWE-444

Affected Products (4)

nuxt · nuxt (up to 3.21.6)vulnerable

nuxt · nuxt (up to 4.4.5)vulnerable

nuxt · nuxt\/nitro-server (up to 3.21.6)vulnerable

nuxt · nuxt\/nitro-server (up to 4.4.6)vulnerable

References (2)

https://github.com/nuxt/nuxt/pull/35077

Issue Tracking

https://github.com/nuxt/nuxt/security/advisories/GHSA-g8wj-3cr3-6w7v

MitigationPatchVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs