cbcvebase.
CVE-2026-45109
published 2026-05-13

CVE-2026-45109: Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.51%
39.3th percentile
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.

Affected

12 ranges
VendorProductVersion rangeFixed in
mozillafirefox
mozillathunderbird
nextnext
nextnext>= 15.2.0 < 15.5.1815.5.18
nextnext>= 16.0.0 < 16.2.616.2.6
rhelai3bootc-cuda-rhel9
rhelai3bootc-gaudi-rhel9
rhelai3bootc-rocm-rhel9
rhelai3disk-image-cuda-rhel9
rhtasrekor-search-ui-rhel9
vercelnext.js>= 15.2.0 < 15.5.1815.5.18
vercelnext.js>= 16.0.0 < 16.2.616.2.6

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.