CVE-2026-46342 LOW

CVE-2026-46342: Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

Vendor Nuxt

Product nuxt

Weakness CWE-79 · XSS

Published June 12, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

2.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6.

Key dates

02Disclosure timeline

June 12, 2026 CVE published

June 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-46342

Related vulnerabilities

Identifiers

CVE CVE-2026-46342

CWE CWE-79

CVSS 2.3 / LOW

Affected versions

Vendor Nuxt

Product nuxt

Affected >= 3.1.0, < 3.21.6

Vendor Nuxt

Product nuxt

Affected >= 4.0.0-alpha.1, < 4.4.6

CVE-2026-46342: Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

01Description

02Disclosure timeline

03References

04Related CVE