CVE-2026-56317
Published: Sat, 20 Jun 2026 16:17
Summary
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can injec
Details
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Are YOU affected by CVE-2026-56317?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-56317 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e
- https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e
- https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m
- https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content
StackPatch runs this match against YOUR installed packages every hour
Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.