@jacobgardos/vuxtify (>=1.0.2 <=1.0.3) potentially affected by CVE-2026-45670 via @nuxt/webpack-builder (=3.21.5)

@nuxt/webpack-builder NPM version =3.21.5 is affected by a known vulnerability. The following packages have a transitive dependency on @nuxt/webpack-builder and may be impacted: - @jacobgardos/vuxtify =1.0.2, =1.0.3 Source cves: CVE-2026-45670 Source advisory: OSV:GHSA-6M52-M754-PW2G...

PT-2026-41963

Summary This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address e.g. nuxt dev --host and the developer opens a malicious site on the same network. Details The fix for...

GHSA-4GF7-FF8X-HQ99 Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. By using...