CVE-2025-29927 — CVSS 9.1 (critical): Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9…
CVE-2026-44578 — CVSS 8.6 (high): Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications…
CVE-2026-44574 — CVSS 8.1 (high): Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on…
CVE-2026-27979 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request…
CVE-2025-55184 — CVSS 7.5 (high): A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2…
CVE-2023-46298 — CVSS 7.5 (high): Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a…
CVE-2024-34350 — CVSS 7.5 (high): Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation…
CVE-2024-34351 — CVSS 7.5 (high): Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF)…
CVE-2024-39693 — CVSS 7.5 (high): Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash…
CVE-2024-46982 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the…
CVE-2021-39178 — CVSS 7.5 (high): Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an…
CVE-2024-51479 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing…
CVE-2026-44579 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial…
CVE-2021-43803 — CVSS 7.5 (high): Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In…
CVE-2026-44575 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications…
CVE-2025-49826 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning…
CVE-2026-44573 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the…
CVE-2026-45109 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix…
CVE-2025-67779 — CVSS 7.5 (high): It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service…
CVE-2026-27980 — CVSS 7.5 (high): Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default…
CVE-2021-37699 — CVSS 6.9 (medium): Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths…
CVE-2025-57822 — CVSS 6.5 (medium): Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without…
CVE-2026-29057 — CVSS 6.5 (medium): Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7…
CVE-2025-57752 — CVSS 6.2 (medium): Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js…
CVE-2026-44580 — CVSS 6.1 (medium): Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use…
CVE-2022-23646 — CVSS 5.9 (medium): Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI)…
CVE-2022-21721 — CVSS 5.9 (medium): Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger…
CVE-2024-47831 — CVSS 5.9 (medium): Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a…
CVE-2025-30218 — CVSS 5.9 (medium): Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the…
CVE-2025-59471 — CVSS 5.9 (medium): A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer…
CVE-2025-59472 — CVSS 5.9 (medium): A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR…
CVE-2026-44577 — CVSS 5.9 (medium): Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js…
CVE-2026-44576 — CVSS 5.4 (medium): Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React…
CVE-2026-27977 — CVSS 5.4 (medium): Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next…
CVE-2025-55183 — CVSS 5.3 (medium): An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1…
CVE-2022-36046 — CVSS 5.3 (medium): Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected…
CVE-2024-56332 — CVSS 5.3 (medium): Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21…
CVE-2020-15242 — CVSS 4.7 (medium): Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash…
CVE-2026-44581 — CVSS 4.7 (medium): Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications…
CVE-2026-27978 — CVSS 4.3 (medium): Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin…
CVE-2025-55173 — CVSS 4.3 (medium): Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js…
CVE-2025-48068 — CVSS 4.3 (medium): Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to…
CVE-2026-44582 — CVSS 3.7 (low): Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component…
CVE-2026-44572 — CVSS 3.7 (low): Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could…
CVE-2025-32421 — CVSS 3.7 (low): Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition…
CVE-2025-49005 — CVSS 3.7 (low): Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI…