CVE-2026-45670

Source
https://cve.org/CVERecord?id=CVE-2026-45670
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45670.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45670
Aliases
Related
Published
2026-06-12T12:51:16.156Z
Modified
2026-07-08T08:05:17.178178328Z
Severity
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Details

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45670.json",
    "cwe_ids": [
        "CWE-749"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/nuxt/nuxt

Affected ranges

Type
GIT
Repo
https://github.com/nuxt/nuxt
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:nuxt:nuxt\\/rspack-builder:*:*:*:*:*:node.js:*:*",
        "cpe:2.3:a:nuxt:nuxt\\/webpack-builder:*:*:*:*:*:node.js:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "3.12.2"
        },
        {
            "fixed": "3.21.5"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.4.5"
        },
        {
            "introduced": "3.0.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v3.*
v3.12.2
v3.12.3
v3.12.4
v3.13.0
v3.13.1
v3.13.2
v3.14.0
v3.14.159
v3.14.1592
v3.15.0
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.17.2
v3.17.3
v3.17.4
v3.17.5
v3.17.6
v3.17.7
v3.18.0
v3.18.1
v3.19.0
v3.19.1
v3.19.2
v3.19.3
v3.20.0
v3.20.1
v3.20.2
v3.21.0
v3.21.1
v3.21.2
v3.21.3
v3.21.4
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.1
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45670.json"