CVE-2026-34405 (GCVE-0-2026-34405)
Vulnerability from cvelistv5 – Published: 2026-03-31 21:16 – Updated: 2026-04-01 18:43
VLAI?
Title
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
Summary
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nuxt-modules | og-image |
Affected:
< 6.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:43:12.726823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:43:23.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "og-image",
"vendor": "nuxt-modules",
"versions": [
{
"status": "affected",
"version": "\u003c 6.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:16:24.918Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h"
}
],
"source": {
"advisory": "GHSA-mg36-wvcr-m75h",
"discovery": "UNKNOWN"
},
"title": "Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34405",
"datePublished": "2026-03-31T21:16:24.918Z",
"dateReserved": "2026-03-27T13:45:29.620Z",
"dateUpdated": "2026-04-01T18:43:23.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34405\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T22:16:18.813\",\"lastModified\":\"2026-04-13T15:17:23.693\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.2.5\",\"matchCriteriaId\":\"4C6B8532-3E90-4B23-8869-FB392D2BF6DD\"}]}]}],\"references\":[{\"url\":\"https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Exploit\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34405\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T18:43:12.726823Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T18:43:18.343Z\"}}], \"cna\": {\"title\": \"Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes\", \"source\": {\"advisory\": \"GHSA-mg36-wvcr-m75h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nuxt-modules\", \"product\": \"og-image\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.2.5\"}]}], \"references\": [{\"url\": \"https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h\", \"name\": \"https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T21:16:24.918Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34405\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T18:43:23.097Z\", \"dateReserved\": \"2026-03-27T13:45:29.620Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T21:16:24.918Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-MG36-WVCR-M75H
Vulnerability from github – Published: 2026-03-31 23:27 – Updated: 2026-04-06 16:39
VLAI?
Summary
Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes
Details
Product: Nuxt OG Image Version: 6.1.2 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation Description: Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection. Impact: Client-Side JavaScript Execution Exploitation condition: An external user Mitigation: Correct the logic of parsing GET parameters and their subsequent implementation into the generated page. Researcher: Dmitry Prokhorov (Positive Technologies)
Research
During the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero‑day vulnerability was discovered.
This research revealed that the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. The vulnerability was reproduced using the standard configuration and the default templates.
Listing 1. The content of the configuration file nuxt.config.ts
export default defineNuxtConfig({
modules: ['nuxt-og-image'],
devServer: {
host: 'web-test.local',
port: 3000
},
site: {
url: 'http://web-test.local:3000',
},
ogImage: {
fonts: [
'Inter:400',
'Inter:700'
],
}
})
Vulnerability reproduction
To demonstrate the proof‑of‑concept, follow the URI: /_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie)&autofocus
The injected parameters onmouseover=alert(document.cookie) and autofocus are treated as attributes and are inserted directly into the generated HTML page.
Listing 2. HTTP-request example
GET /_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie) HTTP/1.1
Host: web-test.local:3000
Figure 1. The injected attribute in the HTML body
Figure 2. JavaScript code execution
Credits
Researcher: Dmitry Prokhorov (Positive Technologies)
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nuxt-og-image"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34405"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:27:03Z",
"nvd_published_at": "2026-03-31T22:16:18Z",
"severity": "MODERATE"
},
"details": "**Product:** Nuxt OG Image \n**Version:** 6.1.2\n**CWE-ID:** [CWE-79](https://cwe.mitre.org/data/definitions/79.html): Improper Neutralization of Input During Web Page Generation\n**Description:** Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection.\n**Impact:** Client-Side JavaScript Execution\n**Exploitation condition:** An external user\n**Mitigation:** Correct the logic of parsing GET parameters and their subsequent implementation into the generated page.\n**Researcher:** Dmitry Prokhorov (Positive Technologies)\n\n## Research \nDuring the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero\u2011day vulnerability was discovered.\nThis research revealed that the image\u2011generation component by the URI: `/_og/d/` (and, in older versions, `/og-image/`) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. The vulnerability was reproduced using the standard configuration and the default templates.\n\n\n_Listing 1. The content of the configuration file `nuxt.config.ts`_ \n```\nexport default defineNuxtConfig({\n modules: [\u0027nuxt-og-image\u0027],\n devServer: {\n host: \u0027web-test.local\u0027,\n port: 3000\n },\n site: {\n url: \u0027http://web-test.local:3000\u0027,\n },\n ogImage: {\n fonts: [\n \u0027Inter:400\u0027, \n \u0027Inter:700\u0027\n ],\n }\n})\n```\n\n## Vulnerability reproduction\nTo demonstrate the proof\u2011of\u2011concept, follow the URI: `/_og/d/og.html?width=1000\u0026height=1000\u0026onmouseover=alert(document.cookie)\u0026autofocus`\nThe injected parameters `onmouseover=alert(document.cookie)` and `autofocus` are treated as attributes and are inserted directly into the generated HTML page.\n\n\n_Listing 2. HTTP-request example_\n```\nGET /_og/d/og.html?width=1000\u0026height=1000\u0026onmouseover=alert(document.cookie) HTTP/1.1\nHost: web-test.local:3000\n```\n\n_Figure 1. The injected attribute in the HTML body_\n\u003cimg width=\"974\" height=\"670\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d442c235-71a5-4da9-a963-8cf4b8614745\" /\u003e\n\n_Figure 2. JavaScript code execution_\n\u003cimg width=\"974\" height=\"291\" alt=\"image\" src=\"https://github.com/user-attachments/assets/01579f19-8e80-4fae-8516-5903370ee6d8\" /\u003e\n\n\n## Credits\nResearcher: Dmitry Prokhorov (Positive Technologies)",
"id": "GHSA-mg36-wvcr-m75h",
"modified": "2026-04-06T16:39:56Z",
"published": "2026-03-31T23:27:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34405"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt-modules/og-image"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes"
}
FKIE_CVE-2026-34405
Vulnerability from fkie_nvd - Published: 2026-03-31 22:16 - Updated: 2026-04-13 15:17
Severity ?
Summary
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h | Vendor Advisory, Exploit |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nuxt:og_image:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "4C6B8532-3E90-4B23-8869-FB392D2BF6DD",
"versionEndExcluding": "6.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image\u2011generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5."
}
],
"id": "CVE-2026-34405",
"lastModified": "2026-04-13T15:17:23.693",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-31T22:16:18.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Exploit"
],
"url": "https://github.com/nuxt-modules/og-image/security/advisories/GHSA-mg36-wvcr-m75h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…