CVE-2026-44581— Next.js: Cross-site scripting in App Router applications using CSP nonces
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44581
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Next.js: Cross-site scripting in App Router applications using CSP nonces
Source: NVD (National Vulnerability Database)
Vulnerability Description
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Next.js 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Next.js是Vercel开源的一个 React 框架。 Next.js 13.4.0至15.5.16之前版本和16.2.5之前版本存在跨站脚本漏洞,该漏洞源于App Router应用依赖CSP nonce时,格式错误的nonce值从请求头派生并反射到渲染HTML中,可能导致存储型跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44581
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44581
请登录查看更多情报信息。
- https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4qx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44581
Same Patch Batch · vercel · 2026-05-13 · 13 CVEs total
| CVE-2026-44578 | 8.6 HIGH | Next.js: Server-side request forgery in applications using WebSocket upgrades |
| CVE-2026-44574 | 8.1 HIGH | Next.js: Middleware / Proxy bypass through dynamic route parameter injection |
| CVE-2026-45109 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-44579 | 7.5 HIGH | Next.js: Denial of Service via connection exhaustion in applications using Cache Component |
| CVE-2026-44575 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-44573 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in Pages Router applications using i18n |
| CVE-2026-44580 | 6.1 MEDIUM | Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input |
| CVE-2026-44577 | 5.9 MEDIUM | Next.js: Denial of Service in the Image Optimization API |
| CVE-2026-44479 | 5.5 MEDIUM | Vercel: Non-interactive mode includes CLI arguments in suggested command output |
| CVE-2026-44576 | 5.4 MEDIUM | Next.js: Cache poisoning in React Server Component responses |
| CVE-2026-44572 | 3.7 LOW | Next.js: Middleware / Proxy redirects can be cache-poisoned |
| CVE-2026-44582 | 3.7 LOW | Next.js: Cache poisoning via collisions in React Server Component cache-busting |
IV. Related Vulnerabilities
Same product: next.js
- CVE-2026-45109
Next.js: Middleware / Proxy bypass in App Router application - CVE-2026-44582
Next.js: Cache poisoning via collisions in React Server Comp - CVE-2026-44580
Next.js: Cross-site scripting in beforeInteractive scripts w - CVE-2026-44579
Next.js: Denial of Service via connection exhaustion in appl - CVE-2026-44578
Next.js: Server-side request forgery in applications using W
Same vendor: vercel
- CVE-2026-45773
Turborepo: Login callback CSRF/session fixation - CVE-2026-46508
Turborepo: VSCode Extension command injection - CVE-2026-45772
Turborepo: Unexpected local code execution during Yarn Berry - CVE-2026-45109
Next.js: Middleware / Proxy bypass in App Router application - CVE-2026-44582
Next.js: Cache poisoning via collisions in React Server Comp
Same weakness: CWE-79
- CVE-2026-44549
Open WebUI: Stored XSS in excel file preview - CVE-2026-45299
Open WebUI: Stored Cross-Site Scripting In Profile Picture - CVE-2026-45665
Open WebUI: Stored XSS in Banner Component via Improper Sani - CVE-2026-45318
Open WebUI: Stored XSS via unsanitized Office/Excel/DOCX fil - CVE-2026-45315
Open WebUI: Stored XSS via attacker-controlled file extensio
V. Comments for CVE-2026-44581
No comments yet