Nuxt NoScript XSS via unescaped innerHTML <4.4.7, <3.21.7
CVE-2026-56317 Published on June 20, 2026
Nuxt - Cross-Site Scripting via NoScript Component Slot Content
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-56317 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-56317
Want to know whenever a new CVE is published for Nuxt? stack.watch will email you.
Affected Versions
Nuxt:- Version 4.0.0 and below 4.4.7 is affected.
- Version 4.4.7 is unaffected.
- Before 3.21.7 is affected.
- Version 3.21.7 is unaffected.