Next.js
This hub aggregates every CVE we track for Next.js, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
54
CVEs tracked
3
Critical
22
High
1
In CISA KEV
Severity distribution
MEDIUM25HIGH22LOW4CRITICAL3
Monthly trend
1
0
1
1
0
1
1
0
1
1
2
0
2
3
0
0
0
4
3
0
5
1
13
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Next.js.
- CVE-2026-45109Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes7.5
- CVE-2026-44582Next.js: Cache poisoning via collisions in React Server Component cache-busting3.7
- CVE-2026-44581Next.js: Cross-site scripting in App Router applications using CSP nonces4.7
- CVE-2026-44580Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input6.1
- CVE-2026-44579Next.js: Denial of Service via connection exhaustion in applications using Cache Components7.5
- CVE-2026-44578Next.js: Server-side request forgery in applications using WebSocket upgrades8.6
- CVE-2026-44577Next.js: Denial of Service in the Image Optimization API5.9
- CVE-2026-44576Next.js: Cache poisoning in React Server Component responses5.4
- CVE-2026-44574Next.js: Middleware / Proxy bypass through dynamic route parameter injection8.1
- CVE-2026-44575Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes7.5
- CVE-2026-44573Next.js: Middleware / Proxy bypass in Pages Router applications using i18n7.5
- CVE-2026-44572Next.js: Middleware / Proxy redirects can be cache-poisoned3.7
- CVE-2026-42349Clerk: Authorization bypass when combining organization, billing, or reverification checks8.1
- CVE-2026-41248Official Clerk JavaScript SDKs: Middleware-based route protection bypass9.1
- CVE-2026-29057Next.js: HTTP request smuggling in rewrites6.5
Product normalization is registry-driven with AI assist and human review. How it works