CVE-2026-44581: Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

May 11, 2026 (updated May 14, 2026)

App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors.

References

github.com/advisories/GHSA-ffhc-5mcf-pf4q
github.com/vercel/next.js/releases/tag/v15.5.16
github.com/vercel/next.js/releases/tag/v16.2.5
github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q
nvd.nist.gov/vuln/detail/CVE-2026-44581

Code Behaviors & Features

Detect and mitigate CVE-2026-44581 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →