CVE-2026-46342
low
CVSS v3
—
CVSS v2
—
VIR risk
2.5
Description
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | nuxt | >=3.1.0,<3.21.6 | 3.21.6 |
| npm | nuxt | >=4.0.0-alpha.1,<4.4.6 | 4.4.6 |
| npm | @nuxt/nitro-server | >=3.20.0,<3.21.6 | 3.21.6 |
| npm | @nuxt/nitro-server | >=4.2.0,<4.4.6 | 4.4.6 |
| NPM | @nuxt/nitro-server | >= 4.2.0, <= 4.4.5 | 4.4.6 |
| NPM | @nuxt/nitro-server | >= 3.20.0, <= 3.21.5 | 3.21.6 |
| NPM | nuxt | >= 4.0.0-alpha.1, <= 4.4.5 | 4.4.6 |
| NPM | nuxt | >= 3.1.0, <= 3.21.5 | 3.21.6 |
References
Verify integrity in audit chain (admin only). AS-IS.