CVE-2026-56317 - Vulnerability Details

Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Nuxt

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.4.7
`4.4.7`	unaffected	—

Nuxt

unaffected

Version	Status	Constraints
`0`	affected	< 3.21.7
`3.21.7`	unaffected	—

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors	Products
Nuxt Subscribe	Nuxt Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e
https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e
https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m
https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content

History

Sat, 20 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Title		Nuxt - Cross-Site Scripting via NoScript Component Slot Content
First Time appeared		Nuxt Nuxt nuxt
Weaknesses		CWE-79
CPEs		cpe:2.3:a:nuxt:nuxt::::::node.js::*
Vendors & Products		Nuxt Nuxt nuxt
References		https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-20T15:21:56.449Z

Updated: 2026-06-20T15:21:56.449Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56317

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-20T16:30:08Z

Weaknesses

CWE-79

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object