Vercel Next.js
Easy fix3 remedies
cpe:2.3:a:vercel:next.js:*:*:*:*:node.js:*:*
Easy fix3 remedies
- >= 13.4.0, < 15.5.16
- >= 16.0.0, < 16.2.5
Next.js Stored Cross-Site Scripting Vulnerability in App Router Applications Using CSP Nonces
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in Next.js App Router applications that use Content Security Policy (CSP) nonces, specifically in versions 13.4.0 prior to 15.5.16 and 16.0.0 prior to 16.2.5. When deployed behind shared caches, these applications can be exploited by reflecting malformed nonce values from request headers into the rendered HTML. This allows an attacker to poison cached responses, leading to script execution for subsequent visitors.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Remediation
Users can upgrade to Next.js versions 15.5.16 or 16.2.5, where this vulnerability has been fixed. If an immediate upgrade is not possible, it is recommended to strip inbound Content-Security-Policy request headers from untrusted traffic.
Added: May 13, 2026, 7:46 PM
Updated: May 13, 2026, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
1.7exploitability
6.2remediation
8.3relevance
8.2threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.