Security context
Medium· 4.7GHSA-ffhc-5mcf-pf4q CVE-2026-44581CWE-79Published May 11, 2026

Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

13.4.0 → fixed in 15.5.1616.0.0 → fixed in 16.2.5

Details

### Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. ### Fix We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context. ### Workarounds If you cannot upgrade immediately, strip inbound `Content-Security-Policy` request headers from untrusted traffic.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References