Description
navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded.
Recommendation
Update the nuxt package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.0.0-alpha.1, <= 4.4.5 >= 3.4.3, <= 3.21.5** Patched version(s): **4.4.6 3.21.6**
References
Related Issues
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
- nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect) - CVE-2026-44589
- md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed) - CVE-2026-46492
- SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware - CVE-2026-44651
You might also like:
- Tags:
- npm
- nuxt
Anything's wrong? Let us know Last updated on May 19, 2026