CVE-2026-44581
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
Description
### Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. ### Fix We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context. ### Workarounds If you cannot upgrade immediately, strip inbound `Content-Security-Policy` request headers from untrusted traffic.
How to fix CVE-2026-44581
To remediate CVE-2026-44581, upgrade the affected package to a fixed version below.
- —upgrade to 15.5.16 or later
Is CVE-2026-44581 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 13.4.0, < 15.5.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |