Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53722

CVE-2026-53722: Nuxt Framework DOM-Based XSS Vulnerability

CVE-2026-53722 is a DOM-based XSS flaw in Nuxt's NuxtLink component that allows attackers to inject malicious scripts through javascript: or vbscript: URLs. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53722 Overview

CVE-2026-53722 is a reflected DOM-based cross-site scripting (XSS) vulnerability in Nuxt, an open-source web development framework for Vue.js. The <NuxtLink> component fails to validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. Attackers can supply javascript: or vbscript: URLs through attacker-controlled inputs such as query parameters, CMS fields, or user-supplied profile URLs. The flaw is tracked as [CWE-79] and affects Nuxt versions prior to 3.21.7 and 4.4.7.

Critical Impact

Clicking a crafted link executes script in the origin of the Nuxt application, enabling reflected DOM-based XSS and same-tab phishing.

Affected Products

  • Nuxt versions prior to 3.21.7
  • Nuxt versions prior to 4.4.7
  • Applications using <NuxtLink> with attacker-controlled input bound to to or href props

Discovery Timeline

  • 2026-06-12 - CVE-2026-53722 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-53722

Vulnerability Analysis

The vulnerability resides in the <NuxtLink> component, which renders an underlying <a> element using values bound to its to or href props. Nuxt does not validate the URL scheme of these values before reflecting them into the rendered markup. When an application binds attacker-controlled input to these props, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim. When the user clicks the link, the supplied script executes in the origin of the Nuxt application.

A data:text/html,... payload reflected through the same sink does not execute in the application's origin. However, it enables a same-tab phishing surface anchored to a legitimate application link, increasing user trust in the deceptive destination.

Root Cause

The root cause is missing scheme validation in the <NuxtLink> component. The component treats any string value supplied to to or href as a safe URL and writes it directly into the href attribute. Dangerous schemes such as javascript: and vbscript: are not stripped, escaped, or rejected. The same unvalidated value was also exposed to consumers of the component's custom slot through the href and route.href props. Applications that re-bind those slot values to their own anchors inherit the identical defect.

Attack Vector

Exploitation requires the target application to bind attacker-controlled data to <NuxtLink :to> or :href. Common sources include URL query parameters, CMS-managed link fields, and user profile URLs. The attacker delivers a crafted URL or stored payload containing a javascript: scheme. User interaction is required: the victim must click the rendered link. Successful exploitation results in script execution within the Nuxt application origin, enabling session theft, account takeover, or content tampering.

No verified public exploitation code was available at the time of publication. See the GitHub Security Advisory GHSA-934w-87qh-qr26 for technical details.

Detection Methods for CVE-2026-53722

Indicators of Compromise

  • HTTP request logs containing query parameters with values beginning with javascript:, vbscript:, or data:text/html
  • Server-rendered HTML responses containing <a href="javascript:..."> originating from <NuxtLink> output
  • Referrer headers indicating navigation from data: or javascript: URLs hosted on the application origin

Detection Strategies

  • Audit application source code for bindings of untrusted input to <NuxtLink> props to or href, and to slot props href or route.href
  • Deploy a Content Security Policy (CSP) that forbids inline script and javascript: URIs, then monitor CSP violation reports
  • Run dynamic application security testing (DAST) with payloads targeting URL scheme injection sinks

Monitoring Recommendations

  • Log and alert on outbound link rendering where the resolved href attribute contains a non-http(s) scheme
  • Monitor web server access logs for parameters carrying scheme prefixes such as javascript: or vbscript:
  • Track installed Nuxt versions across the development inventory and flag any release earlier than 3.21.7 or 4.4.7

How to Mitigate CVE-2026-53722

Immediate Actions Required

  • Upgrade Nuxt to version 3.21.7 or 4.4.7, depending on the major version branch in use
  • Inventory all usage of <NuxtLink> props to and href that receive external input
  • Review custom slot consumers that re-bind href or route.href to their own anchors

Patch Information

The issue has been patched in Nuxt versions 3.21.7 and 4.4.7. Fix commits are available at nuxt/nuxt commit 0103ce0 and nuxt/nuxt commit 5328404. Additional details are documented in the GitHub Security Advisory GHSA-934w-87qh-qr26.

Workarounds

  • Validate and sanitize URL values before passing them to <NuxtLink>; reject any value whose scheme is not http, https, or a known safe relative path
  • Apply an allowlist of permitted URL schemes at the application boundary where CMS or user input is ingested
  • Implement a strict Content Security Policy that blocks inline script execution to reduce XSS impact
bash
# Upgrade Nuxt to a patched release
npm install nuxt@^3.21.7
# or for the 4.x branch
npm install nuxt@^4.4.7

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne