Home

Description

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-13 | Updated 2026-05-18 | Assigner GitHub_M




MEDIUM: 4.7CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 13.4.0, < 15.5.16
affected

>= 16.0.0, < 16.2.5
affected

References

github.com/...ext.js/security/advisories/GHSA-ffhc-5mcf-pf4q

cve.org (CVE-2026-44581)

nvd.nist.gov (CVE-2026-44581)

Download JSON