EUVD-2026-36422

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled default in Nuxt 4, any...

Next.js 安全漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 12.2.0 to 15.5.16, as well as versions before 16.2.5, have security vulnerabilities. These vulnerabilities arise from using the Pages Router and when configuring i18n and middleware or proxy authorization. In these cases...

CVE-2026-33490

Summary (CVE-2026-33490) : In h3 versions 2.0.0-0 through 2.0.1-rc.16, the mount() implementation uses a startsWith() path-prefix check without validating a segment boundary, allowing middleware registered on a mounted sub-app (e.g., at /admin) to run for unrelated routes such as /admin-public or...

CVE-2026-33490 h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

H3 is a minimal HTTP framework. In versions 2.0.0-0 through 2.0.1-rc.16, the mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next...

GHSA-2J6Q-WHV2-GH6W h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

Summary The mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next character after the base is / or end-of-string, middleware...