AIKIDO-2026-10096
@nuxt/ui is vulnerable to Cross-site Scripting (XSS)
46
Medium Risk
This Affects:
@nuxt/uiTL;DR
Affected versions of this package are vulnerable to a cross-site scripting (XSS) attack via the id prop in the Banner component, where the code unsafely interpolated user-controlled id values into a localStorage getter string without sanitization, allowing an attacker to inject malicious JavaScript by crafting an id that breaks out of the string literal and executes arbitrary code. An attacker could exploit this by supplying a malicious id payload, which would run in the victim's browser upon component rendering, potentially leading to data theft or session compromise. The patched code prevents this by using JSON.stringify to properly encode the id value, ensuring it is treated as a safe string literal.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@nuxt/ui is vulnerable to Cross-site Scripting (XSS) in versions 4.0.0 - 4.3.0.
How to fix this
Upgrade the @nuxt/ui library to a patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant