CVE-2026-46342

CVE-2026-46342 is a low-severity cross-site scripting (XSS) vulnerability in nuxt (npm), affecting versions >= 3.1.0, <= 3.21.5. It is fixed in 3.21.6, 4.4.6.

Summary

The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query.

Island components are documented as rendering independently of route context - page middleware does not apply to them, and they are intentionally cacheable as a function of their props. This advisory does not treat that contract as a vulnerability. It treats the absence of a binding between the URL the cache keys on and the response served at that URL as one.

Workarounds

For users unable to upgrade immediately:

  • Ensure any intermediary cache keys /__nuxt_island/* on the full query string, not on the path alone. This is the recommended configuration regardless.
  • Audit application-authored islands for props flowing into v-html / innerHTML / similar HTML sinks; treat island props as untrusted user input.

Note on island authentication

[!IMPORTANT]
It's important to remember that route middleware does not run when rendering island components, and islands cannot rely on routing-layer auth. Applications gating sensitive data behind page middleware should enforce that auth inside the island's own data layer (server-only routes, useRequestEvent + manual session checks, etc.) rather than relying on the embedding page's middleware - this was true before this advisory and remains true after it.

A separate advisory addresses *.server.vue pages registered as page_<routeName> islands, where the documented "middleware doesn't run for islands" contract collides with the page's own definePageMeta({ middleware }) declaration in a way that constitutes a genuine bug rather than documented behaviour.

Impact

In applications where a CDN or reverse-proxy in front of the app caches /__nuxt_island/* keyed by path only (ignoring query) - a documented misconfiguration class, see GHSA-jvhm-gjrh-3h93 - an attacker can prime the cache for a path with their own choice of props, and subsequent users requesting the same path receive the attacker's rendered HTML rather than the response intended for them. The cache entry persists until normal expiry.

Where the affected island has any prop flowing into an unsafe HTML sink in application code (v-html, innerHTML, a third-party renderer treating a prop as HTML), this becomes stored XSS in the embedding page's origin until the cache entry expires. HttpOnly cookies remain out of reach but anything else in the origin (other cookies, in-origin requests, DOM state) is reachable by the injected script.

Preconditions:

  • experimental.componentIslands enabled (or the default 'auto' with at least one server / island component in the app).
  • A shared intermediary cache (CDN, reverse-proxy, edge cache) keyed on path only.
  • For the XSS pivot specifically: an application-authored island that puts a prop through an unsafe HTML sink.

Without the second precondition, the response shape is per-request and unaffected. Without the third, the worst case is content-swap / inert HTML injection rather than script execution.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

nuxt (>= 3.1.0, <= 3.21.5) nuxt (>= 4.0.0-alpha.1, <= 4.4.5) @nuxt/nitro-server (>= 3.20.0, <= 3.21.5) @nuxt/nitro-server (>= 4.2.0, <= 4.4.5)

Security releases

nuxt → 3.21.6 (npm) nuxt → 4.4.6 (npm) @nuxt/nitro-server → 3.21.6 (npm) @nuxt/nitro-server → 4.4.6 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Patched in [email protected] and [email protected] by #35077. The island handler now recomputes the expected hashId from (name, props, context) using the same ohash function <NuxtIsland> already uses to embed the hash in the URL, and rejects requests (HTTP 400) whose URL-resident hash does not match. The response is now a pure function of the request path: a path-keyed shared cache returns the correct response to every requester for that path, and an attacker cannot synthesise a path whose hash matches arbitrary props.

Frequently Asked Questions

  1. What is CVE-2026-46342? CVE-2026-46342 is a low-severity cross-site scripting (XSS) vulnerability in nuxt (npm), affecting versions >= 3.1.0, <= 3.21.5. It is fixed in 3.21.6, 4.4.6. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which packages are affected by CVE-2026-46342?
    • nuxt (npm) (versions >= 3.1.0, <= 3.21.5)
    • @nuxt/nitro-server (npm) (versions >= 3.20.0, <= 3.21.5)
  3. Is there a fix for CVE-2026-46342? Yes. CVE-2026-46342 is fixed in 3.21.6, 4.4.6. Upgrade to this version or later.
  4. Is CVE-2026-46342 exploitable, and should I be worried? Whether CVE-2026-46342 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-46342 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-46342?
    • Upgrade nuxt to 3.21.6 or later
    • Upgrade nuxt to 4.4.6 or later
    • Upgrade @nuxt/nitro-server to 3.21.6 or later
    • Upgrade @nuxt/nitro-server to 4.4.6 or later

Other vulnerabilities in nuxt

Stop the waste.
Protect your environment with Kodem.