Medium severity4.7GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44581

Description

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.

Affected products

Vercel/Next.jsGHSA
Range: >= 16.0.0, < 16.2.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-ffhc-5mcf-pf4qghsaADVISORY
github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4qnvdMitigationVendor Advisory
github.com/vercel/next.js/releases/tag/v15.5.16ghsa
github.com/vercel/next.js/releases/tag/v16.2.5ghsa
nvd.nist.gov/vuln/detail/CVE-2026-44581ghsa

News mentions

⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
The Hacker News · May 11, 2026
The Good, the Bad and the Ugly in Cybersecurity – Week 19
SentinelOne Labs · May 8, 2026
‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials
SecurityWeek · May 8, 2026
New PCPJack worm steals credentials, cleans TeamPCP infections
BleepingComputer · May 7, 2026
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach
The Hacker News · Apr 23, 2026
Vercel Confirms Cyber Incident After Sophisticated Attacker Exploits Third‑Party Tool
Infosecurity Magazine · Apr 21, 2026

cvss	0.306
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000