CVE-2026-44581

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*

History

14 May 2026, 18:30

Type	Values Removed	Values Added
References	~~() https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q -~~	() https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:vercel:next.js::::::node.js::*
First Time		Vercel next.js Vercel

13 May 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 18:16

Updated : 2026-05-14 18:30

NVD link : CVE-2026-44581

Mitre link : CVE-2026-44581

CVE.ORG link : CVE-2026-44581

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.7 /10