AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-m3q2-p4fw-w38m: Cross-site scripting via <NoScript> slot content in Nuxt's head components

lowvulnerability

security

Source: GitHub Advisory DatabaseJune 16, 2026

Summary

Nuxt's `<NoScript>` component (a way to display content when JavaScript is disabled) had a security flaw where it wrote user-provided data directly into HTML without escaping, allowing attackers to inject malicious scripts. This vulnerability affected all supported versions of Nuxt that include this component.

Solution / Mitigation

Fixed in `nuxt@4.4.7` and backported to `nuxt@3.21.7`. The fix escapes `<NoScript>` slot content using `escapeHtml` from `@vue/shared` and writes it to `textContent` rather than `innerHTML`. Until you can upgrade, avoid putting untrusted user input inside `<NoScript>` slots, or use `useHead({ noscript: [{ textContent: escapedValue }] })` after HTML-escaping the value yourself.

Classification

Attack SophisticationModerate

Affected Packages

nuxt@< 3.21.7 (fixed: 3.21.7)nuxt@>= 4.0.0, < 4.4.7 (fixed: 4.4.7)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-m3q2-p4fw-w38m

First tracked: June 16, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%