CVE-2026-44581 MEDIUM

CVE-2026-44581: Next.js: Cross-site scripting in App Router applications using CSP nonces

Vendor Vercel

Product next.js

Weakness CWE-79 · XSS

Published May 13, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.

Key dates

02Disclosure timeline

May 13, 2026 CVE published

May 18, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-44581 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-44581

CWE CWE-79

CVSS 4.7 / MEDIUM

Affected versions

Vendor Vercel

Product next.js

Affected >= 13.4.0, < 15.5.16

Vendor Vercel

Product next.js

Affected >= 16.0.0, < 16.2.5

CVE-2026-44581: Next.js: Cross-site scripting in App Router applications using CSP nonces

01Description

02Disclosure timeline

03References

04Related CVE