CVE-2026-44581
Last modified
CVE-2026-44581 is a medium-severity vulnerability rated 4.7/10 on the CVSS scale. Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. EPSS estimates a 0.22% chance of exploitation in the next 30 days.
Description
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vercel | Next.Js | >= 13.4.0, < 15.5.16 |
| Vercel | Next.Js | >= 16.0.0, < 16.2.5 |
References
- https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4qMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-44581?
How severe is CVE-2026-44581?
How do I fix CVE-2026-44581?
Are you affected by CVE-2026-44581?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST