Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes

Severity:: Medium

Description

Product: Nuxt OG Image Version: 6.1.2 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation Description: Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection.

Recommendation

Update the nuxt-og-image package to the latest compatible version. Followings are version details:

Affected version(s): < 6.2.5
Patched version(s): 6.2.5

References

GHSA-mg36-wvcr-m75h
CVE-2026-34405
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions - CVE-2026-34404
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag - CVE-2026-30830
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581

How do hackers hack websites?

These 7 PHP mistakes leave your website open to the hackers

How to Secure your NodeJs Express Javascript Application - part 1

Tags:: npm; nuxt-og-image

Anything's wrong? Let us know Last updated on April 06, 2026