CVE-2025-13984

CVE-2025-13984: Next.js - Critical - Access bypass - SA-CONTRIB-2025-122

Vendor Drupal
Product Next.js
Weakness CWE-942
Published January 28, 2026
Last update January 29, 2026

CVSS base score

What the vulnerability does

01Description

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.

Explanation of Vulnerability in Simple Terms

02Summary

A vulnerability exists in the Drupal Next.js module affecting versions before 1.6.4. The specific attack vector and impact are not fully documented in available metadata. Site administrators should update to version 1.6.4 or later to ensure protection. Review the official Drupal security advisory for detailed mitigation steps.

What an attacker can do

03Attacker Capabilities

Unknown; insufficient CVSS and CWE data to determine attack capability.

Potential impact on your site

04Site Impact

Sites running Drupal Next.js module < 1.6.4 may be at risk; update immediately to 1.6.4.

Conditions required to exploit

05Prerequisites

Unknown; CVSS vector data not available.

Key dates

06Disclosure timeline

January 28, 2026 CVE published
January 29, 2026 Record updated