Next.js — CVE history (npm)
Next.js
51 CVEs affect the Next.js npm package (highest CVSS 10.0). 1 on CISA's Known Exploited Vulnerabilities catalog. Latest disclosed: 2026-05-13. Full CVE history sourced from NVD.
Summary
- Package
Next.js (npm)- Total CVEs
51- Actively exploited (CISA KEV)
- 1
- Highest CVSS
10.0- Latest disclosed
- 2026-05-13
Recent CVEs (top 20)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2026-45109 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44582 | Low | 3.7 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44581 | Medium | 4.7 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44580 | Medium | 6.1 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44579 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44578 | High | 8.6 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44577 | Medium | 5.9 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44576 | Medium | 5.4 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44575 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44574 | High | 8.1 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44573 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44572 | Low | 3.7 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-29057 | Medium | 6.5 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-27980 | High | 7.5 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-27979 | High | 7.5 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-27978 | Medium | 4.3 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-27977 | Medium | 5.4 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
CVE-2025-59472 | Medium | 5.9 | — | 2026-01-26 | A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. |
CVE-2025-59471 | Medium | 5.9 | — | 2026-01-26 | A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. |
CVE-2025-67779 | High | 7.5 | — | 2025-12-12 | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2025-55182 | Critical | 10.0 | KEV | 2025-12-03 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-… |
CVE-2025-29927 | Critical | 9.1 | — | 2025-03-21 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44578 | High | 8.6 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44574 | High | 8.1 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-45109 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44579 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44575 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-44573 | High | 7.5 | — | 2026-05-13 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-27980 | High | 7.5 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
CVE-2026-27979 | High | 7.5 | — | 2026-03-18 | Next.js is a React framework for building full-stack web applications. |
Actively exploited (CISA KEV — 1)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|
CVE-2025-55182 | Critical | 10.0 | KEV | 2025-12-03 | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-… |