High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-45109
CVE-2026-45109
Description
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-26hh-7cqf-hhc6ghsaADVISORY
- github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6nvdVendor Advisory
- github.com/vercel/next.js/releases/tag/v15.5.18ghsa
- github.com/vercel/next.js/releases/tag/v16.2.6ghsa
- github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53fghsa
- nvd.nist.gov/vuln/detail/CVE-2026-45109ghsa
News mentions
5- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals CredentialsSecurityWeek · May 8, 2026
- New PCPJack worm steals credentials, cleans TeamPCP infectionsBleepingComputer · May 7, 2026
- Vercel Finds More Compromised Accounts in Context.ai-Linked BreachThe Hacker News · Apr 23, 2026