CVE-2026-44581
MEDIUM4.7EPSS 0.01%Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
Description
### Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. ### Fix We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context. ### Workarounds If you cannot upgrade immediately, strip inbound `Content-Security-Policy` request headers from untrusted traffic.
Affected packages (1)
- npm/next>= 13.4.0, < 15.5.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |