Next.js 安全漏洞

Next.js is a React framework open source by Vercel. There were security vulnerabilities in versions of Next.js from 15.2.0 to 15.5.18, and also in version 16.2.6. These vulnerabilities stemmed from failing to apply the corrections for CVE-2026-44575 when using the Turbopack-based middleware.ts...

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

Impact It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details. References - CVE CVE-2026-44575...

PT-2026-39412

Name of the Vulnerable Software and Affected Versions Next.js versions 13.0.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description Applications using beforeInteractive scripts combined with untrusted content are susceptible to cross-site scripting XSS, a flaw where malicious scripts...

PT-2026-39411

Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections ope...