Is Next.js 14.2.35 patched?
Current stable (16.2.9): 100/100
14.2.35 has 3 open critical-or-high vulnerabilities. Run 16.2.6 or later to clear them. See what 16.2.6 fixes →
Summary iPlain-English security status for Next.js 14.2.35, built from its CVEs, active-exploitation data, end-of-life date and latest release.
Next.js 14.2.35 is part of the 14.2 release line. 11 known vulnerabilities affect it. The minimum safe version is 16.2.6 — upgrade to it or later to clear the open critical/high issues. The latest supported Next.js release is 16.2.9.
Known issues affecting 14.2.35
Exploited first, then by exploitation probability.
CVE-2026-44578 HIGH EPSS 3% → fixed in 16.2.5 CVE-2026-27980 HIGH EPSS 1% → fixed in 16.1.7 CVE-2025-59471 MEDIUM EPSS 0% → fixed in 16.1.5 CVE-2026-29057 MEDIUM EPSS 0% → fixed in 16.1.7 CVE-2026-44577 MEDIUM EPSS 0% → fixed in 16.2.5 CVE-2026-44573 HIGH EPSS 0% → fixed in 16.2.5 CVE-2026-44576 MEDIUM EPSS 0% → fixed in 16.2.5 CVE-2026-44581 MEDIUM EPSS 0% → fixed in 16.2.5 CVE-2026-44580 MEDIUM EPSS 0% → fixed in 16.2.5 CVE-2026-44582 LOW EPSS 0% → fixed in 16.2.5 CVE-2026-44572 LOW EPSS 0% → fixed in 16.2.5Other Next.js versions
Check another release line of Next.js.
Frequently asked
Is Next.js 14.2.35 patched?
Next.js 14.2.35 has 3 open critical-or-high vulnerabilities. The minimum safe version is 16.2.6 — upgrade to 16.2.6 or later to clear them.
What version should I upgrade Next.js 14.2.35 to?
Upgrade Next.js 14.2.35 to at least 16.2.6 to clear its 3 open critical-or-high vulnerabilities.
What is the latest version of Next.js?
The latest supported Next.js release is 16.2.9.
Is Next.js 14.2.35 still receiving security updates?
Yes — the 14.2 line is still supported and receiving security updates. The latest release is 16.2.9.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Vercel's official advisory before you patch or upgrade — Next.js official site ↗