Live data from GitHub and npm, updated daily.
Data last fetched: 2026-06-29
10 active CVEs reported via OSV.dev
Nuxt dev server vite-node IPC socket is world-connectable on Linux
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
Nuxt: Reflected XSS in `navigateTo()` external redirect
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
nuxt Code Injection vulnerability
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Nuxt allows DOS via cache poisoning with payload rendering response
Cross-site scripting via <NoScript> slot content in Nuxt's head components
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Get SLA-backed support, security patches, and direct access to senior engineers for Nuxt.js — without relying on volunteer maintainers.