threat
engine
.sh
Back
·
··:··
Home
/
Product
/
vercel next.js
Product
vercel next.js
52 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-45109
>= 15.2.0 and < 15.5.18
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that
7.5
HIGH
CVE-2026-44582
>= 13.4.6 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Comp
3.7
LOW
CVE-2026-44581
>= 13.4.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applic
4.7
MEDIUM
CVE-2026-44580
>= 13.0.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that
6.1
MEDIUM
CVE-2026-44579
>= 15.0.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Part
7.5
HIGH
CVE-2026-44578
>= 13.4.13 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted appl
8.6
HIGH
CVE-2026-44577
>= 10.0.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting
5.9
MEDIUM
CVE-2026-44576
>= 14.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications usin
5.4
MEDIUM
CVE-2026-44575
>= 15.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applic
7.5
HIGH
CVE-2026-44574
>= 15.4.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that
8.1
HIGH
CVE-2026-44573
>= 12.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications usin
7.5
HIGH
CVE-2026-44572
>= 12.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external clien
3.7
LOW
CVE-2026-29057
>= 9.5.0 and < 15.5.13
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and
6.5
MEDIUM
CVE-2026-27980
>= 10.0.0 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the
7.5
HIGH
CVE-2026-27979
>= 16.0.1 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a r
7.5
HIGH
CVE-2026-27978
>= 16.0.1 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `or
4.3
MEDIUM
CVE-2026-27977
>= 16.0.1 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in
5.4
MEDIUM
CVE-2025-13984
< 1.6.4
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).T
6.1
MEDIUM
CVE-2025-59472
>= 15.0.0 and < 15.6.0
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode.
5.9
MEDIUM
CVE-2025-59471
>= 10.0.0 and < 15.5.10
A denial of service vulnerability exists in self-hosted Next.js applications that have
remotePatterns
configured for the Image O
5.9
MEDIUM
CVE-2025-67779
>= 13.3.0 and < 14.2.35
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of ser
7.5
HIGH
CVE-2025-55184
>= 13.3.0 and < 14.2.35
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.
7.5
HIGH
CVE-2025-55183
>= 15.0.0 and < 15.0.7
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.
5.3
MEDIUM
CVE-2025-55182
>= 15.0.0 and < 15.0.5
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19
10.0
CRITICAL
CVE-2025-57822
< 14.2.32
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used
6.5
MEDIUM
CVE-2025-57752
< 14.2.31
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5
6.2
MEDIUM
CVE-2025-55173
< 14.2.31
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5
4.3
MEDIUM
CVE-2025-49826
> 15.0.4 and < 15.1.8
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache po
7.5
HIGH
CVE-2025-49005
>= 15.3.0 and < 15.3.3
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Verc
3.7
LOW
CVE-2025-48068
>= 13.0.0 and < 14.2.30
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0
4.3
MEDIUM
CVE-2025-32421
< 14.2.24
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition
3.7
LOW
CVE-2025-30218
all versions
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middlew
5.9
MEDIUM
CVE-2025-29927
>= 11.1.4 and < 12.3.5
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13
9.1
CRITICAL
CVE-2024-56332
>= 13.0.0 and < 13.5.8
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14
5.3
MEDIUM
CVE-2024-51479
>= 9.5.5 and < 14.2.15
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing
7.5
HIGH
CVE-2024-47831
>= 10.0.0 and < 14.2.7
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain
5.9
MEDIUM
CVE-2024-46982
>= 13.5.1 and < 13.5.7
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison
7.5
HIGH
CVE-2024-39693
>= 13.3.1 and < 13.5.0
Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a
7.5
HIGH
CVE-2024-34351
>= 13.4.0 and < 14.1.1
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vul
7.5
HIGH
CVE-2024-34350
>= 13.4.0 and < 13.5.1
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpr
7.5
HIGH
CVE-2023-46298
< 13.4.20
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN,
7.5
HIGH
CVE-2022-36046
all versions
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be
5.3
MEDIUM
CVE-2022-23646
>= 10.0.0 and < 12.1.0
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (U
5.9
MEDIUM
CVE-2022-21721
>= 12.0.0 and < 12.0.9
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to
5.9
MEDIUM
CVE-2021-43803
>= 11.1.0 and < 11.1.3
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server c
7.5
HIGH
CVE-2021-39178
>= 10.0.0 and < 11.1.1
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order
7.5
HIGH
CVE-2021-37699
>= 10.0.5 and <= 10.2.0
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded
6.9
MEDIUM
CVE-2020-15242
>= 9.5.0 and < 9.5.4
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing sl
4.7
MEDIUM
CVE-2020-5284
< 9.3.2
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in
4.4
MEDIUM
CVE-2018-18282
all versions
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
6.1
MEDIUM
CVE-2018-6184
all versions
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
7.5
HIGH
CVE-2017-16877
< 2.4.1
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sen
7.5
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin