CVE-2026-44581
Next.js: Cross-site scripting in App Router applications using CSP nonces
CVSS Score
4.7
EPSS Score
0.0%
EPSS Percentile
0th
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.
| CWE | CWE-79 |
| Vendor | vercel |
| Product | next.js |
| Published | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for vercel next.js
Be the first to know when new medium vulnerabilities affecting vercel next.js are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
vercel / next.js
>= 13.4.0, < 15.5.16 >= 16.0.0, < 16.2.5