High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-45109
CVE-2026-45109
Description
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 15.2.0, < 15.5.18 | 15.5.18 |
nextnpm | >= 16.0.0, < 16.2.6 | 16.2.6 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/keep-uipkg:apk/wolfi/jitsucom-jitsu-consolepkg:npm/next
< 2.11.0-r24+ 3 more
- (no CPE)range: < 2.11.0-r24
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: < 2.11.0-r24
- (no CPE)range: >= 15.2.0, < 15.5.18
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-26hh-7cqf-hhc6ghsaADVISORY
- github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-45109ghsaADVISORY
- github.com/vercel/next.js/releases/tag/v15.5.18ghsaWEB
- github.com/vercel/next.js/releases/tag/v16.2.6ghsaWEB
- github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53fghsaWEB
News mentions
0No linked articles in our index yet.