Remote Code Execution Vulnerability in Next.js Framework by Vercel
CVE-2026-45109

7.5HIGH

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45109?

The Next.js framework from Vercel has a vulnerability that affects versions 15.2.0 to before 15.5.18 and 16.2.6. This issue arises from an incomplete fix for a related vulnerability, CGE-2026-44575, which did not sufficiently address concerns in middleware.ts when using Turbopack. Developers utilizing these versions may be at risk of remote code execution, warranting immediate attention to update to the provided patched versions 15.5.18 and 16.2.6.

Affected Version(s)

next.js >= 15.2.0, < 15.5.17 < 15.2.0, 15.5.17

next.js >= 16.0.0, < 16.2.6 < 16.0.0, 16.2.6

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45109 Data

JSON