{ "threat_severity" : "Moderate", "public_date" : "2026-05-13T17:07:15Z", "bugzilla" : { "description" : "next.js: Next.js: Stored Cross-Site Scripting via malformed nonce values in cached responses", "id" : "2477191", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477191" }, "cvss3" : { "cvss3_base_score" : "4.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "status" : "draft" }, "cwe" : "CWE-79", "details" : [ "Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.", "A flaw was found in Next.js. This vulnerability, a type of stored cross-site scripting (XSS), allows a remote attacker to inject malicious scripts into web pages. By manipulating nonce values derived from request headers, an attacker can poison cached responses, leading to arbitrary script execution in the browsers of subsequent visitors." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "firefox", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "thunderbird", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-gaudi-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/bootc-rocm-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rhelai3/disk-image-cuda-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Fix deferred", "package_name" : "rhtas/rekor-search-ui-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Fix deferred", "package_name" : "next", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Fix deferred", "package_name" : "next", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44581\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44581\nhttps://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q" ], "name" : "CVE-2026-44581", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }