Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Next.js Number Of NVD 21 CRITICAL 0 HIGH 11 MEDIUM 9 LOW 1
URL https://nextjs.org/
Explanation Next.js provides the best development environment with all the features you need for production, including hybrid static and server rendering, TypeScript support, smart bundles, route prefetching, and more. No configuration is required.

Translated and excerpted from [https://nextjs.org/]
Tag
  • MIT License
  • Javascript
Add Information URL
No Type Name URL
1 https://github.com/vercel/next.js/
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
1 Next.js 14 14.3.0-canary.14 April 21, 2024 Oct. 26, 2023 0 3 4 1
2 Next.js 13 13.5.11 March 27, 2025 Oct. 27, 2022 0 4 4 1
3 Next.js 12 12.3.1 Sept. 20, 2022 Oct. 27, 2021 0 6 3 0
4 Next.js 11 11.1.0 Aug. 12, 2021 June 23, 2021 0 4 3 0
5 Next.js 10 10.0.7 Feb. 19, 2021 Oct. 28, 2020 0 3 3 0
6 Next.js 9 9.5.5 Oct. 10, 2020 0 1 1 0
7 Next.js 8 8.0.5 0 1 0 0
8 Next.js 7 7.0.3 0 1 0 0
9 Next.js 6 6.0.4 0 1 0 0
10 Next.js 5 5.0.1 0 1 0 0
11 Next.js 4 4.0.5 0 1 0 0
12 Next.js 3 3.0.6 0 1 0 0
13 Next.js 2 2.0.1 0 1 0 0
14 Next.js 1 1.0.2 0 1 1 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
1 7.5
- 		HIGH
Network 		Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts wit… CWE-288
Authentication Bypass Using an Alternate Path or Channel 		CVE-2026-45109 cpe:2.3:a:vercel:next.js:*:* 15.2.0
16.0.0

15.5.18
16.2.6 		2026-05-14 23:14
2026-05-14 		Show GitHub Exploit DB Packet Storm
2 3.7
- 		LOW
Network 		Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments t… CWE-328
 Use of Weak Hash 		CVE-2026-44582 cpe:2.3:a:vercel:next.js:*:* 13.4.6
16.0.0

15.5.16
16.2.5 		2026-05-15 03:15
2026-05-14 		Show GitHub Exploit DB Packet Storm
3 4.7
- 		MEDIUM
Network 		Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site… CWE-79
Cross-site Scripting 		CVE-2026-44581 cpe:2.3:a:vercel:next.js:*:* 13.4.0
16.0.0

15.5.16
16.2.5 		2026-05-15 03:30
2026-05-14 		Show GitHub Exploit DB Packet Storm
4 6.1
- 		MEDIUM
Network 		Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be… CWE-79
Cross-site Scripting 		CVE-2026-44580 cpe:2.3:a:vercel:next.js:*:* 13.0.0
16.0.0

15.5.16
16.2.5 		2026-05-15 03:33
2026-05-14 		Show GitHub Exploit DB Packet Storm
5 7.5
- 		HIGH
Network 		Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerab… CWE-770
 Allocation of Resources Without Limits or Throttling 		CVE-2026-44579 cpe:2.3:a:vercel:next.js:*:* 15.0.0
16.0.0

15.5.16
16.2.5 		2026-05-15 03:34
2026-05-14 		Show GitHub Exploit DB Packet Storm
6 8.6
- 		HIGH
Network 		Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to serve… CWE-918
Server-Side Request Forgery (SSRF)  		CVE-2026-44578 cpe:2.3:a:vercel:next.js:*:* 13.4.13
16.0.0

15.5.16
16.2.5 		2026-05-15 03:34
2026-05-14 		Show GitHub Exploit DB Packet Storm
7 5.9
- 		MEDIUM
Network 		Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fe… CWE-770
 Allocation of Resources Without Limits or Throttling 		CVE-2026-44577 cpe:2.3:a:vercel:next.js:*:* 10.0.0
16.0.0

15.5.16
16.2.5 		2026-05-14 05:00
2026-05-14 		Show GitHub Exploit DB Packet Storm
8 5.4
- 		MEDIUM
Network 		Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when s… CWE-436
 Interpretation Conflict 		CVE-2026-44576 cpe:2.3:a:vercel:next.js:*:* 14.2.0
16.0.0

15.5.16
16.2.5 		2026-05-14 22:44
2026-05-14 		Show GitHub Exploit DB Packet Storm
9 7.5
- 		HIGH
Network 		Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorizatio… CWE-288
Authentication Bypass Using an Alternate Path or Channel 		CVE-2026-44575 cpe:2.3:a:vercel:next.js:*:* 15.2.0
16.0.0

15.5.16
16.2.5 		2026-05-14 21:38
2026-05-14 		Show GitHub Exploit DB Packet Storm
10 8.1
- 		HIGH
Network 		Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to au… CWE-288
Authentication Bypass Using an Alternate Path or Channel 		CVE-2026-44574 cpe:2.3:a:vercel:next.js:*:* 15.4.0
16.0.0

15.5.16
16.2.5 		2026-05-14 21:37
2026-05-14 		Show GitHub Exploit DB Packet Storm