CVE-2026-34405 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the nuxt-modules og-image component, which generates Open Graph images using Vue templates within Nuxt.js applications. Prior to version 6.2.5, the image-generation endpoints at /_og/d/ and, in older versions, /og-image/ improperly neutralize user input during web page generation. This improper input sanitization allows attackers to inject arbitrary HTML attributes into the page body, which can lead to the execution of malicious scripts in the context of the victim's browser. The vulnerability does not require authentication but does require user interaction, such as visiting a crafted URL. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change that affects confidentiality and integrity but not availability. While no known exploits have been reported in the wild, the vulnerability poses a risk to applications that dynamically generate OG images using the affected component. The flaw can be leveraged to steal sensitive information, perform session hijacking, or conduct phishing attacks by injecting malicious scripts. The issue was publicly disclosed on March 31, 2026, and patched in version 6.2.5 of the nuxt-modules og-image package. Developers and organizations using versions prior to 6.2.5 should upgrade immediately to mitigate the risk.

The vulnerability enables attackers to execute arbitrary scripts in users' browsers by injecting malicious HTML attributes into dynamically generated Open Graph image pages. This can compromise user confidentiality by stealing cookies, tokens, or other sensitive data accessible via the browser. Integrity may be affected as attackers can manipulate page content or perform actions on behalf of users. Although availability is not impacted, the reputational damage and potential data breaches pose significant risks. Organizations relying on nuxt-modules og-image for social media previews or dynamic image generation may inadvertently expose their users to phishing or session hijacking attacks. The medium CVSS score reflects the moderate ease of exploitation combined with the requirement for user interaction. The scope change indicates that the vulnerability affects components beyond the immediate vulnerable code, potentially impacting other parts of the application or user sessions. Since no exploits are currently known in the wild, the risk is mitigated somewhat but remains significant for unpatched systems. Attackers could craft URLs that, when visited by users, trigger the injection and execution of malicious scripts, making public-facing web applications particularly vulnerable.

The primary mitigation is to upgrade the nuxt-modules og-image package to version 6.2.5 or later, where the vulnerability has been patched. For organizations unable to upgrade immediately, implement strict input validation and sanitization on all user-supplied data used in generating Open Graph images. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Monitor web server logs for suspicious requests targeting the vulnerable endpoints (/ _og/d/ and /og-image/). Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting these URIs. Educate developers on secure coding practices, especially regarding template rendering and user input handling in Vue and Nuxt.js environments. Conduct regular security assessments and penetration testing focusing on dynamic content generation features. Finally, ensure that all dependencies are kept up to date and subscribe to vulnerability advisories for timely patching.