CVE-2025-13984

🗓️ 28 Jan 2026 20:02:22Reported by drupalType

CVE-2025-13984 Next.js cross-domain policy bypass enabling cross-site scripting.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2025-13984	28 Jan 202620:02	–	attackerkb
CNNVD	Drupal Next.js security vulnerabilities	28 Jan 202600:00	–	cnnvd
Cvelist	CVE-2025-13984 Next.js - Critical - Access bypass - SA-CONTRIB-2025-122	28 Jan 202620:02	–	cvelist
Drupal	Next.js - Critical - Access bypass - SA-CONTRIB-2025-122	3 Dec 202500:00	–	drupal
EUVD	EUVD-2025-206437	28 Jan 202620:02	–	euvd
NVD	CVE-2025-13984	28 Jan 202620:16	–	nvd
OSV	DRUPAL-CONTRIB-2025-122	3 Dec 202518:49	–	osv
Positive Technologies	PT-2026-5203	28 Jan 202600:00	–	ptsecurity
Vulnrichment	CVE-2025-13984 Next.js - Critical - Access bypass - SA-CONTRIB-2025-122	28 Jan 202620:02	–	vulnrichment

NVD

Node

kanopi next.jsRange<1.6.4drupal

kanopi next.jsRange2.0.0–2.0.1drupal

[
  {
    "collectionURL": "https://www.drupal.org/project/next",
    "defaultStatus": "unaffected",
    "product": "Next.js",
    "repo": "https://git.drupalcode.org/project/next",
    "vendor": "Drupal",
    "versions": [
      {
        "lessThan": "1.6.4",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "2.0.1",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
drupal	www.drupal.org/sa-contrib-2025-122

06 Feb 2026 19:02Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.16.1

EPSS0.00051

SSVC

CWE-942