Bug 2477191 (CVE-2026-44581) - CVE-2026-44581 next.js: Next.js: Stored Cross-Site Scripting via malformed nonce values in cached responses
Summary: CVE-2026-44581 next.js: Next.js: Stored Cross-Site Scripting via malformed no...
Keywords:
Status: NEW
Alias: CVE-2026-44581
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2484211 2484213 2484223 2484215 2484217 2484219 2484221
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-13 18:01 UTC by OSIDB Bzimport
Modified: 2026-06-02 23:06 UTC (History)
16 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-13 18:01:49 UTC
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.


Note You need to log in before you can comment on or make changes to this bug.