457 matches found
Malicious code in nuxt-fonts-devtools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d6ede5024b6ee71356eedb3dfb3bb648682901bf6b966bbe353daff6082ecc85 Package ships only a package.json and a readme; there is no main entry, no bin, no scripts, no dependencies, and no executable code. The readme...
Malicious code in load-nuxt (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5e95bb337136d6bfafcd6f21bb8cb1d98da703f7e20b851b3af82876018ffac Package name resembles the Nuxt ecosystem's helper naming 'load-nuxt' and is published at version 99.0.3, a version-number shape frequently used in...
Malicious code in load-nuxt-dev (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0f879297070c07197ace88cfb411c61d497ad150e39c2c5c91349737f5d83a The package name resembles the legitimate Nuxt ecosystem tooling e.g., @nuxt/load-nuxt, and the version 99.0.3 is a common dependency-confusion /...
MAL-2026-6934 Malicious code in load-nuxt (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5e95bb337136d6bfafcd6f21bb8cb1d98da703f7e20b851b3af82876018ffac Package name resembles the Nuxt ecosystem's helper naming 'load-nuxt' and is published at version 99.0.3, a version-number shape frequently used in...
MAL-2026-6935 Malicious code in load-nuxt-dev (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf0f879297070c07197ace88cfb411c61d497ad150e39c2c5c91349737f5d83a The package name resembles the legitimate Nuxt ecosystem tooling e.g., @nuxt/load-nuxt, and the version 99.0.3 is a common dependency-confusion /...
MAL-2026-6937 Malicious code in nuxt-fonts-devtools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d6ede5024b6ee71356eedb3dfb3bb648682901bf6b966bbe353daff6082ecc85 Package ships only a package.json and a readme; there is no main entry, no bin, no scripts, no dependencies, and no executable code. The readme...
Open Redirect
Nuxt is vulnerable to open redirect. The vulnerability is due to improper validation of path-normalized URLs in navigateTo, where specially crafted paths can bypass external-host checks after normalization, allowing attackers to redirect users to malicious websites and facilitate phishing attacks...
CVE-2026-56301
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...
CVE-2026-56301
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...
EUVD-2026-38436
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...
CVE-2026-56301
Nuxt CVE-2026-56301 affects Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7. When running the development server (nuxt dev) on Linux, the vite-node IPC server is bound to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivilege...
CVE-2026-56301 Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...
EUVD-2026-38379
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when...
EUVD-2026-38378
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect...
PT-2026-51509
Name of the Vulnerable Software and Affected Versions Nuxt versions prior to 4.4.7 Nuxt versions prior to 3.21.7 Description When running the development server on Linux, the vite-node IPC Inter-Process Communication server binds to an abstract-namespace Unix socket without permission restriction...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the reloadNuxtApp function. An attacker can redirect users to attacker-controlled hosts by injecting protocol-relative paths such as //evil.com, potentially enabling phishing attacks or theft of OAuth authorization...
CVE-2026-56698
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 fail to validate script-capable URLs in the navigateTo open option, allowing client-side script execution. Attackers can supply javascript: URLs through the open parameter to execute arbitrary scripts in the application's origin when...
CVE-2026-56326
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to...
CVE-2026-56697
Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect...
CVE-2026-56698
Nuxt CVE-2026-56698 affects Nuxt 4.0.0–4.4.6 and 3.x up to 3.21.6 (versions before the fixed releases). The navigateTo open option fails to validate script-capable URLs, allowing attacker-controlled javascript: URLs to execute arbitrary scripts in the application's origin when user input is passe...