Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
History

Wed, 24 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Title Nuxt - Cross-Site Scripting via NoScript Component Slot Content
First Time appeared Nuxt
Nuxt nuxt
Weaknesses CWE-79
CPEs cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:node.js:*:*
Vendors & Products Nuxt
Nuxt nuxt
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-20T15:21:56.449Z

Updated: 2026-06-24T17:53:34.670Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56317

cve-icon Vulnrichment

Updated: 2026-06-24T17:52:58.310Z

cve-icon NVD

No data.

cve-icon Redhat

No data.