https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-18T02:43:05.020700+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/869b6d3d-899e-4303-964c-8fb8f28b770d/export869b6d3d-899e-4303-964c-8fb8f28b770d2026-06-18T02:43:05.402138+00:00Joseph Leehttps://vulnerability.circl.lu/user/syspect{"uuid": "869b6d3d-899e-4303-964c-8fb8f28b770d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49993", "type": "published-proof-of-concept", "source": "https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5", "content": "", "creation_timestamp": "2026-06-02T14:32:20.000000Z"}2026-06-02T14:32:20+00:00https://vulnerability.circl.lu/sighting/84b7c7bf-a5b1-46d0-80a3-029c86971c15/export84b7c7bf-a5b1-46d0-80a3-029c86971c152026-06-18T02:43:05.401979+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "84b7c7bf-a5b1-46d0-80a3-029c86971c15", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49993", "type": "seen", "source": "https://gist.github.com/alon710/304448ca1233c754404dc0354510a0d3", "content": "# CVE-2026-49993: CVE-2026-49993: Proprietary Source Code Exfiltration via Incomplete Same-Origin Verification in Nuxt Dev Servers\n\n> **CVSS Score:** 5.7\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49993\n\n## Summary\nCVE-2026-49993 identifies an incomplete same-origin check validation mechanism in @nuxt/webpack-builder and @nuxt/rspack-builder dev server middleware. When the local development server is bound to a non-loopback address, cross-origin attackers can bypass verification checks by suppressing browser headers, leading to unauthorized retrieval and exfiltration of compiled source code chunks.\n\n## TL;DR\nNuxt dev servers bound to non-loopback interfaces allow headerless cross-origin requests, enabling malicious sites to silently exfiltrate proprietary source code from active local development environments.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-749\n- **Attack Vector**: Adjacent Network\n- **CVSS v3.1 Score**: 5.7\n- **EPSS Score**: 0.00201\n- **Impact**: High Confidentiality Loss\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- @nuxt/webpack-builder\n- @nuxt/rspack-builder\n- **@nuxt/webpack-builder**: >= 3.15.4, < 3.21.7 (Fixed in: `3.21.7`)\n- **@nuxt/rspack-builder**: >= 3.15.4, < 3.21.7 (Fixed in: `3.21.7`)\n- **@nuxt/webpack-builder**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n- **@nuxt/rspack-builder**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n\n## Mitigation\n\n- Restrict development server bindings exclusively to loopback addresses (127.0.0.1 or localhost).\n- Utilize modern web browsers that enforce Local Network Access (LNA) protections.\n- Perform local development activities within isolated browser sessions or profiles.\n\n**Remediation Steps:**\n1. Open the package management configuration of the Nuxt project.\n2. Execute the update command: `pnpm update nuxt` or `pnpm update @nuxt/webpack-builder @nuxt/rspack-builder`.\n3. Verify that dependencies resolve to version 3.21.7 (for Nuxt 3) or 4.4.7 (for Nuxt 4) or higher.\n4. Remove configuration variables that bind the development host to 0.0.0.0 or LAN-visible IPs.\n\n## References\n\n- [GitHub Security Advisory GHSA-x6qj-4h56-5rj5](https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5)\n- [GitHub Security Advisory GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g)\n- [Fix Pull Request #35200](https://github.com/nuxt/nuxt/pull/35200)\n- [CVE-2026-49993 Record](https://www.cve.org/CVERecord?id=CVE-2026-49993)\n- [NVD entry for CVE-2026-49993](https://nvd.nist.gov/vuln/detail/CVE-2026-49993)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49993) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T00:11:28.000000Z"}2026-06-17T00:11:28+00:00https://vulnerability.circl.lu/sighting/9fc0e22b-d83a-4cdd-89d4-64d042f0e127/export9fc0e22b-d83a-4cdd-89d4-64d042f0e1272026-06-18T02:43:05.400327+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "9fc0e22b-d83a-4cdd-89d4-64d042f0e127", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49993", "type": "seen", "source": "https://gist.github.com/alon710/5a51983a1e4f931f3bc541f627d26823", "content": "# CVE-2026-49993: CVE-2026-49993: Proprietary Source Code Exfiltration via Incomplete Same-Origin Verification in Nuxt Dev Servers\n\n> **CVSS Score:** 5.7\n> **Published:** 2026-06-16\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49993\n\n## Summary\nCVE-2026-49993 identifies an incomplete same-origin check validation mechanism in @nuxt/webpack-builder and @nuxt/rspack-builder dev server middleware. When the local development server is bound to a non-loopback address, cross-origin attackers can bypass verification checks by suppressing browser headers, leading to unauthorized retrieval and exfiltration of compiled source code chunks.\n\n## TL;DR\nNuxt dev servers bound to non-loopback interfaces allow headerless cross-origin requests, enabling malicious sites to silently exfiltrate proprietary source code from active local development environments.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-749\n- **Attack Vector**: Adjacent Network\n- **CVSS v3.1 Score**: 5.7\n- **EPSS Score**: 0.00201\n- **Impact**: High Confidentiality Loss\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- @nuxt/webpack-builder\n- @nuxt/rspack-builder\n- **@nuxt/webpack-builder**: >= 3.15.4, < 3.21.7 (Fixed in: `3.21.7`)\n- **@nuxt/rspack-builder**: >= 3.15.4, < 3.21.7 (Fixed in: `3.21.7`)\n- **@nuxt/webpack-builder**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n- **@nuxt/rspack-builder**: >= 4.0.0, < 4.4.7 (Fixed in: `4.4.7`)\n\n## Mitigation\n\n- Restrict development server bindings exclusively to loopback addresses (127.0.0.1 or localhost).\n- Utilize modern web browsers that enforce Local Network Access (LNA) protections.\n- Perform local development activities within isolated browser sessions or profiles.\n\n**Remediation Steps:**\n1. Open the package management configuration of the Nuxt project.\n2. Execute the update command: `pnpm update nuxt` or `pnpm update @nuxt/webpack-builder @nuxt/rspack-builder`.\n3. Verify that dependencies resolve to version 3.21.7 (for Nuxt 3) or 4.4.7 (for Nuxt 4) or higher.\n4. Remove configuration variables that bind the development host to 0.0.0.0 or LAN-visible IPs.\n\n## References\n\n- [GitHub Security Advisory GHSA-x6qj-4h56-5rj5](https://github.com/nuxt/nuxt/security/advisories/GHSA-x6qj-4h56-5rj5)\n- [GitHub Security Advisory GHSA-6m52-m754-pw2g](https://github.com/nuxt/nuxt/security/advisories/GHSA-6m52-m754-pw2g)\n- [Fix Pull Request #35200](https://github.com/nuxt/nuxt/pull/35200)\n- [CVE-2026-49993 Record](https://www.cve.org/CVERecord?id=CVE-2026-49993)\n- [NVD entry for CVE-2026-49993](https://nvd.nist.gov/vuln/detail/CVE-2026-49993)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49993) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T00:21:33.000000Z"}2026-06-17T00:21:33+00:00