CVE Daily
← All tags

Tag: Next.js

All CVEs associated with "Next.js". Page 1/1 • 13 CVEs.

About “Next.js”

A curated feed of “Next.js”-related CVEs appears below. We currently track 13 CVEs for this tag (all time). In the last 365 days, 9 were published. Average CVSS is 7.2 (all time; 7.2 over 365d), and 69% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data, CWE-754 - Improper Check for Unusual or Exceptional Conditions.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: nextjs

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
1616.2.7-LTS
1515.5.19 SoonLTS
1414.2.35 ExpiredLTS
1313.5.11 Expired
1212.3.7 Expired
1111.1.4 Expired
1010.2.3 Expired
99.5.5 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Next.js”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-26
Medium

CVE-2026-9566

A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipul…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2026-05-13
Low

CVE-2026-44572

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path han…

CVSS: 3.7 CWE: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data View on NVD
2026-05-11
High

CVE-2026-42349

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other…

CVSS: 8.1 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2026-04-24
Critical

CVE-2026-41248

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowi…

CVSS: 9.1 CWE: CWE-436 - Interpretation Conflict View on NVD
2026-03-20
High

CVE-2026-32887

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.…

CVSS: 7.4 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2026-03-10
Medium

CVE-2026-30942

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows an…

CVSS: 6.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-11-21
Critical

CVE-2025-64762

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated re…

CVSS: 9.1 CWE: CWE-524 - Use of Cache Containing Sensitive Information View on NVD
2025-06-16
Critical

CVE-2025-6087

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next,…

CVSS: 9.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2025-06-04
High

CVE-2025-48947

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, `__session` cookies set by auth0.middleware may be…

CVSS: 7.7 CWE: CWE-525 - Use of Web Browser Cache Containing Sensitive Information View on NVD
2024-05-14
High

CVE-2024-34350

Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as…

CVSS: 7.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2024-01-30
High

CVE-2024-23841

apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To explo…

CVSS: 8.2 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2022-08-31
Medium

CVE-2022-36046

Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v…

CVSS: 5.3 CWE: CWE-248 - Uncaught Exception View on NVD
2021-06-25
High

CVE-2021-32702

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitra…

CVSS: 8.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox