CVE-2026-34405

Name of the Vulnerable Software and Affected Versions Nuxt OG Image versions prior to 6.2.5

Description The Nuxt OG Image package contains a flaw in the image-generation component accessible via the API endpoint / og/d/ (and /og-image/ in older versions). This issue allows for the injection of arbitrary attributes into the HTML page body through manipulation of GET parameters. Specifically, the vulnerability arises from incorrect parsing of these parameters, leading to potential HTML and JavaScript code injection. The onmouseover and autofocus parameters can be exploited to inject attributes directly into the generated HTML page.

Recommendations Versions prior to 6.2.5: Upgrade to version 6.2.5 or later to address the vulnerability.