CVE-2026-53722 (GCVE-0-2026-53722)

Vulnerability from cvelistv5 – Published: 2026-06-12 13:44 – Updated: 2026-06-12 15:05
VLAI
Title
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Summary
Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.
Severity
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
References
Impacted products
Vendor Product Version
nuxt nuxt Affected: < 3.21.7
Affected: >= 4.0.0, < 4.4.7
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T15:05:40.713482Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T15:05:46.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nuxt",
          "vendor": "nuxt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.21.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.4.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, \u003cNuxtLink\u003e did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying \u003ca\u003e element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to \u003cNuxtLink :to\u003e or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application\u0027s origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component\u0027s custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T13:44:14.592Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26"
        },
        {
          "name": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3"
        },
        {
          "name": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0"
        }
      ],
      "source": {
        "advisory": "GHSA-934w-87qh-qr26",
        "discovery": "UNKNOWN"
      },
      "title": "Nuxt: Reflected XSS in `\u003cNuxtLink\u003e` via unsanitised `javascript:` or `data:` URL"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-53722",
    "datePublished": "2026-06-12T13:44:14.592Z",
    "dateReserved": "2026-06-10T16:43:31.241Z",
    "dateUpdated": "2026-06-12T15:05:46.393Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53722",
      "date": "2026-06-13",
      "epss": "0.00045",
      "percentile": "0.14208"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53722\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-12T15:16:31.427\",\"lastModified\":\"2026-06-12T16:01:25.477\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, \u003cNuxtLink\u003e did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying \u003ca\u003e element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to \u003cNuxtLink :to\u003e or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application\u0027s origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component\u0027s custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-83\"}]}],\"references\":[{\"url\":\"https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-53722\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-12T15:05:40.713482Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-12T15:05:42.727Z\"}}], \"cna\": {\"title\": \"Nuxt: Reflected XSS in `\u003cNuxtLink\u003e` via unsanitised `javascript:` or `data:` URL\", \"source\": {\"advisory\": \"GHSA-934w-87qh-qr26\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nuxt\", \"product\": \"nuxt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.21.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.4.7\"}]}], \"references\": [{\"url\": \"https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26\", \"name\": \"https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3\", \"name\": \"https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0\", \"name\": \"https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, \u003cNuxtLink\u003e did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying \u003ca\u003e element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to \u003cNuxtLink :to\u003e or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application\u0027s origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component\u0027s custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-83\", \"description\": \"CWE-83: Improper Neutralization of Script in Attributes in a Web Page\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-12T13:44:14.592Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-53722\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-12T15:05:46.393Z\", \"dateReserved\": \"2026-06-10T16:43:31.241Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-12T13:44:14.592Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.