GHSA-mg36-wvcr-m75h

Source

https://github.com/advisories/GHSA-mg36-wvcr-m75h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mg36-wvcr-m75h/GHSA-mg36-wvcr-m75h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mg36-wvcr-m75h

Aliases

CVE-2026-34405

Published

2026-03-31T23:27:03Z

Modified

2026-04-06T16:48:05.996343Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes

Details

Product: Nuxt OG Image Version: 6.1.2 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation Description: Incorrect parsing of GET parameters leads to the possibility of HTML injection and JavaScript code injection. Impact: Client-Side JavaScript Execution Exploitation condition: An external user Mitigation: Correct the logic of parsing GET parameters and their subsequent implementation into the generated page. Researcher: Dmitry Prokhorov (Positive Technologies)

Research

During the analysis of the nuxt-og-image package, which is shipped with the nuxt-seo package, a zero‑day vulnerability was discovered. This research revealed that the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. The vulnerability was reproduced using the standard configuration and the default templates.

Listing 1. The content of the configuration file nuxt.config.ts

export default defineNuxtConfig({
  modules: ['nuxt-og-image'],
  devServer: {
    host: 'web-test.local',
    port: 3000
  },
  site: {
    url: 'http://web-test.local:3000',
  },
  ogImage: {
    fonts: [
      'Inter:400', 
      'Inter:700'
    ],
  }
})

Vulnerability reproduction

To demonstrate the proof‑of‑concept, follow the URI: /_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie)&autofocus The injected parameters onmouseover=alert(document.cookie) and autofocus are treated as attributes and are inserted directly into the generated HTML page.

Listing 2. HTTP-request example

GET /_og/d/og.html?width=1000&height=1000&onmouseover=alert(document.cookie) HTTP/1.1
Host: web-test.local:3000

Figure 1. The injected attribute in the HTML body <img width="974" height="670" alt="image" src="https://github.com/user-attachments/assets/d442c235-71a5-4da9-a963-8cf4b8614745" />

Figure 2. JavaScript code execution <img width="974" height="291" alt="image" src="https://github.com/user-attachments/assets/01579f19-8e80-4fae-8516-5903370ee6d8" />

Credits

Researcher: Dmitry Prokhorov (Positive Technologies)

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:27:03Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-31T22:16:18Z"
}

References

Affected packages

npm / nuxt-og-image

Package

Name: nuxt-og-image; View open source insights on deps.dev
Purl: pkg:npm/nuxt-og-image

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.2.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-mg36-wvcr-m75h/GHSA-mg36-wvcr-m75h.json"