CVE-2026-56317 | Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contain… | CVSS 2.3 LOW

Description

Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.

Metadata

CVE ID: CVE-2026-56317
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:59 UTC
Published: 2026-06-20 15:21 UTC
Last updated: 2026-06-20 15:21 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: Nuxt / Nuxt
Sources: cve.org · NVD

Severity & Metrics

2.3 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products (2)

Vendor	Product	Platform	Versions
Nuxt	Nuxt	—	4.0.0 < 4.4.7, 4.4.7
Nuxt	Nuxt	—	0 < 3.21.7, 3.21.7

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.3	LOW	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (4)

GHSA Advisory GHSA-m3q2-p4fw-w38m https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m
https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e
https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e
VulnCheck Advisory: Nuxt - Cross-Site Scripting via NoScript Component Slot Content https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content