84 matches found
EUVD-2026-36419
Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack /...
PT-2026-48868
Name of the Vulnerable Software and Affected Versions @nuxt/rspack-builder versions 3.15.4 through 3.21.6 @nuxt/rspack-builder versions 4.0.0 through 4.4.6 @nuxt/webpack-builder versions 3.15.4 through 3.21.6 @nuxt/webpack-builder versions 4.0.0 through 4.4.6 Description An incomplete fix in the...
PT-2026-48881
Name of the Vulnerable Software and Affected Versions Nuxt versions prior to 3.21.7 Nuxt versions prior to 4.4.7 Description The component fails to validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. If an...
PT-2026-48880
Name of the Vulnerable Software and Affected Versions Nuxt versions 3.11.0 through 3.21.6 Nuxt versions 4.0.0 through 4.4.6 Description A route-rule middleware bypass exists due to a case-sensitivity mismatch between vue-router and the routeRules matcher. Recommendations Update to version 3.21.7...
GHSA-6M52-M754-PW2G Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Summary This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address e.g. nuxt dev --host and the developer opens a malicious site on the same network. Details The fix for...
PT-2026-41962
Name of the Vulnerable Software and Affected Versions Nuxt versions 3.4.3 through 3.21.5 Nuxt versions 4.0.0-alpha.1 through 4.4.5 Description When using the navigateTo function with the external: true option, the software generates a server-side HTML redirect body containing a tag. The destinati...
CVE-2026-41248
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...
CVE-2026-41248 Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...
CVE-2024-34344
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the path parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrar...
EUVD-2025-178263
Malicious code in joviology-nuxtjs-ursa-lacerta npm...
EUVD-2025-124257
Malicious code in nova-postcss-loader-nuxtjs-duplex npm...
EUVD-2025-113424
Malicious code in framework-nuxtjs-sedna-build npm...
EUVD-2024-2661
Malicious code in bioql PyPI...
EUVD-2024-2564
Malicious code in bioql PyPI...
EUVD-2023-12868
Malicious code in bioql PyPI...
EUVD-2024-2646
Malicious code in bioql PyPI...
EUVD-2024-2657
Malicious code in bioql PyPI...
EUVD-2022-51758
Malicious code in bioql PyPI...
EUVD-2022-51759
Malicious code in bioql PyPI...
CVE-2025-59414 Nuxt Client-Side Path Traversal in Nuxt Island Payload Revival
Nuxt is an open-source web development framework for Vue.js. Prior to 3.19.0 and 4.1.0, A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specifi...