CVE-2026-44581

MEDIUM LAB

Next.js: Cross-site scripting in App Router applications using CSP nonces

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44581. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple Next.js v16.2.4 vulnerabilities, including SSRF, XSS, and cache poisoning. The PoCs are well-documented with technical details, vulnerable code excerpts, and runnable exploit scripts.

Description

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional proof-of-concept exploits for multiple Next.js v16.2.4 vulnerabilities, including SSRF, XSS, and cache poisoning. The PoCs are well-documented with technical details, vulnerable code excerpts, and runnable exploit scripts.

Classification

Working Poc 95%

Attack Type

Ssrf | Xss | Dos | Auth Bypass | Cache Poisoning

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059.007 - JavaScript T1189 - Drive-by Compromise T1499 - Endpoint Denial of Service T1078 - Valid Accounts

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44581_GHSA-ffhc-5mcf-pf4q

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44581, a reflected XSS vulnerability in Next.js <16.2.5. The exploit demonstrates how a malformed CSP nonce can break out of the attribute context, allowing arbitrary JavaScript execution.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Next.js <16.2.5

No auth needed

Prerequisites: Ability to influence the Content-Security-Policy request header

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q

Scores

CVSS v3 4.7

EPSS 0.0001

EPSS Percentile 1.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-79

Status published

Products (5)

npm/next 13.4.0 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 13.4.0 - 15.5.16

vercel/next.js >= 13.4.0, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026