CVE-2026-44589

LOW NVD

CVSS Score 3.7

Severity LOW

Published May 14, 2026

Vendor unknown

Description

Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validation. This vulnerability is fixed in 6.4.9.

References

https://github.com/nuxt-modules/og-image/security/advisories/GHSA-c2rm-g55x-8hr5