Fluid Attacks Database

Description

A flaw was found in Next.js. This vulnerability, a type of stored cross-site scripting (XSS), allows a remote attacker to inject malicious scripts into web pages. By manipulating nonce values derived from request headers, an attacker can poison cached responses, leading to arbitrary script execution in the browsers of subsequent visitors.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=13.4.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel10	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-
rpm rhel7	firefox	-	-
rpm rhel8	firefox	-	-

Aliases

1. CVE-2026-445812. NVD-2026-445813. OSV-2026-445814. GHSA-ffhc-5mcf-pf4q5. GCVE-2026-44581

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5