CVE-2026-53721

Source
https://cve.org/CVERecord?id=CVE-2026-53721
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53721.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53721
Aliases
Published
2026-06-12T13:41:34.022Z
Modified
2026-07-08T08:13:43.974686462Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Details

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53721.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-178",
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/nuxt/nuxt

Affected ranges

Type
GIT
Repo
https://github.com/nuxt/nuxt
Events
Database specific
{
    "cpe": "cpe:2.3:a:nuxt:nuxt:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "3.11.0"
        },
        {
            "fixed": "3.21.7"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.4.7"
        }
    ]
}

Affected versions

v3.*
v3.11.0
v3.11.1
v3.11.2
v3.12.0
v3.12.1
v3.12.2
v3.12.3
v3.12.4
v3.13.0
v3.13.1
v3.13.2
v3.14.0
v3.14.159
v3.14.1592
v3.15.0
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.17.2
v3.17.3
v3.17.4
v3.17.5
v3.17.6
v3.17.7
v3.18.0
v3.18.1
v3.19.0
v3.19.1
v3.19.2
v3.19.3
v3.20.0
v3.20.1
v3.20.2
v3.21.0
v3.21.1
v3.21.2
v3.21.3
v3.21.4
v3.21.5
v3.21.6
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.1
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53721.json"