Description
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js versions from 13.4.0 up to just before 15.5.16 and 16.2.5 allow malformed CSP nonces derived from request headers to be rendered unsafely in application pages. An attacker can exploit the reflected nonce to store malicious script payloads in shared cache entries, leading to script execution for subsequent users viewing the cached content.

Affected Systems

Vercel's Next.js framework, specifically App Router applications running version 13.4.0 through 15.5.15 and version 16.2.4. Users of these releases should check that their project dependencies reference one of the fixed versions.

Risk and Exploitability

The CVSS score of 4.7 indicates a low risk rating, and EPSS data is not available, so native exploitation likelihood cannot be quantified. The vulnerability is not in the CISA KEV catalog. It requires deployment behind a shared cache and reliable reflection of nonce values; the attacker can poison cache entries and cause arbitrary script execution for later visitors. Because the flaw is a stored cross‑site scripting issue, once the malicious nonce is cached it impacts all users who receive the cached response.

Generated by OpenCVE AI on May 13, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or later, or 16.2.5 or later, where the nonce handling bug has been fixed.
  • Ensure that your deployment environment does not cache pages that include user‑specific CSP nonces, or configure cache to be user‑aware or bypassed for those pages.
  • Validate that the application properly sanitizes any data derived from request headers before using it as a CSP nonce to prevent future reflection vulnerabilities.

Generated by OpenCVE AI on May 13, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ffhc-5mcf-pf4q Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Cross-site scripting in App Router applications using CSP nonces
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T14:13:33.462Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44581

cve-icon Vulnrichment

Updated: 2026-05-18T14:13:15.560Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:18.400

Modified: 2026-05-14T18:30:24.340

Link: CVE-2026-44581

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T17:07:15Z

Links: CVE-2026-44581 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:00:04Z

Weaknesses