Next.js: Cross-site scripting in App Router applications using CSP nonces

4.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.

Basic Information

ID CVE-2026-44581

Source GitHub_M

Published May 13, 2026 at 17:07

Affected Product

Vendor vercel

Product next.js

Version >= 13.4.0, < 15.5.16

Affected Versions vercel next.js >= 13.4.0, < 15.5.16
vercel next.js >= 16.0.0, < 16.2.5

CWE Classification

CWE-79

References

github.com /vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q

{
    "lastseen": "",
    "description": "Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.",
    "published": "2026-05-13T17:07:15.845Z",
    "modified": "2026-05-13T17:07:15.845Z",
    "type": "cve",
    "title": "Next.js: Cross-site scripting in App Router applications using CSP nonces",
    "source": "GitHub_M",
    "references": "https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q",
    "id": "CVE-2026-44581",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "vercel next.js >= 13.4.0, < 15.5.16\nvercel next.js >= 16.0.0, < 16.2.5",
    "sourceHref": "",
    "cvss": {
        "score": 4.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "next.js",
    "version": ">= 13.4.0, < 15.5.16",
    "vendor": "vercel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Next.js: Cross-site scripting in App Router applications using CSP nonces_CVE-2026-44581