js · nuxtHeads-up

Nuxt NoScript Component XSS Vulnerability Fixed

The `<NoScript>` component wrote slot content to `innerHTML` instead of `textContent`, bypassing HTML escaping and allowing XSS via untrusted input.

17 Jun 2026Read 1 minSeverity: schedule it

What changed

The `<NoScript>` component wrote slot content to `innerHTML` instead of `textContent`, bypassing HTML escaping and allowing XSS via untrusted input. Fixed in [email protected] and [email protected] by using `escapeHtml` and `textContent`.

Who it affects

All Nuxt applications using the `<NoScript>` component with untrusted slot content (e.g., `{{ route.query.banner }}`).

What to do today

Upgrade to [email protected] or [email protected]. If unable, avoid interpolating untrusted input into `<NoScript>` slots or use `useHead` with escaped `textContent`.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · nuxt

Nuxt NoScript Component XSS Vulnerability Fixed

What changed

Who it affects

What to do today

More on nuxt

Hono: Encoded backslash path traversal on Windows

Hono AWS Lambda@Edge Adapter: Repeated Headers Truncated to Single Value