Next.js vulnerabilities: known CVEs & security history
Vercel · Web / Framework · 47 tracked CVEs · 1 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Next.js release lines — 47 in total, with 1 actively exploited in the wild. A CVE here doesn't mean your version is affected — check Next.js's current status and the safe version to run.
Known Next.js CVEs
Actively-exploited and most-severe first. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2025-55182⚡ exploited | critical | 10 | 100% | 2025 |
| CVE-2025-29927 | critical | 9.1 | 93% | 2025 |
| CVE-2026-44578 | high | 8.6 | 3% | 2026 |
| CVE-2026-44574 | high | 8.1 | 0% | 2026 |
| CVE-2026-45109 | high | 7.5 | 0% | 2026 |
| CVE-2026-44579 | high | 7.5 | 0% | 2026 |
| CVE-2026-44575 | high | 7.5 | 1% | 2026 |
| CVE-2026-44573 | high | 7.5 | 0% | 2026 |
| CVE-2026-27980 | high | 7.5 | 1% | 2026 |
| CVE-2026-27979 | high | 7.5 | 0% | 2026 |
| CVE-2025-67779 | high | 7.5 | 19% | 2025 |
| CVE-2025-55184 | high | 7.5 | 66% | 2025 |
| CVE-2025-49826 | high | 7.5 | 1% | 2025 |
| CVE-2024-51479 | high | 7.5 | 4% | 2024 |
| CVE-2024-46982 | high | 7.5 | 58% | 2024 |
| CVE-2024-39693 | high | 7.5 | 0% | 2024 |
| CVE-2024-34351 | high | 7.5 | 5% | 2024 |
| CVE-2024-34350 | high | 7.5 | 1% | 2024 |
| CVE-2023-46298 | high | 7.5 | 1% | 2023 |
| CVE-2021-43803 | high | 7.5 | 45% | 2021 |
| CVE-2021-39178 | high | 7.5 | 1% | 2021 |
| CVE-2021-37699 | medium | 6.9 | 1% | 2021 |
| CVE-2026-29057 | medium | 6.5 | 0% | 2026 |
| CVE-2025-57822 | medium | 6.5 | 2% | 2025 |
| CVE-2025-57752 | medium | 6.2 | 0% | 2025 |
| CVE-2026-44580 | medium | 6.1 | 0% | 2026 |
| CVE-2026-44577 | medium | 5.9 | 0% | 2026 |
| CVE-2025-59472 | medium | 5.9 | 0% | 2026 |
| CVE-2025-59471 | medium | 5.9 | 0% | 2026 |
| CVE-2025-30218 | medium | 5.9 | 0% | 2025 |
| CVE-2024-47831 | medium | 5.9 | 1% | 2024 |
| CVE-2022-23646 | medium | 5.9 | 2% | 2022 |
| CVE-2022-21721 | medium | 5.9 | 2% | 2022 |
| CVE-2026-44576 | medium | 5.4 | 0% | 2026 |
| CVE-2026-27977 | medium | 5.4 | 0% | 2026 |
| CVE-2025-55183 | medium | 5.3 | 62% | 2025 |
| CVE-2024-56332 | medium | 5.3 | 1% | 2025 |
| CVE-2022-36046 | medium | 5.3 | 1% | 2022 |
| CVE-2026-44581 | medium | 4.7 | 0% | 2026 |
| CVE-2020-15242 | medium | 4.7 | 1% | 2020 |
| CVE-2026-27978 | medium | 4.3 | 0% | 2026 |
| CVE-2025-55173 | medium | 4.3 | 1% | 2025 |
| CVE-2025-48068 | medium | 4.3 | 0% | 2025 |
| CVE-2026-44582 | low | 3.7 | 0% | 2026 |
| CVE-2026-44572 | low | 3.7 | 0% | 2026 |
| CVE-2025-49005 | low | 3.7 | 0% | 2025 |
| CVE-2025-32421 | low | 3.7 | 1% | 2025 |
Is my Next.js version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Next.js version → · Monitor Next.js for new CVEs →
Next.js vulnerabilities — frequently asked
How many known vulnerabilities does Next.js have?
IsItPatched tracks 47 CVEs for Next.js, 1 of which is actively exploited (CISA KEV). 2 are critical-severity and 19 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Next.js have any actively-exploited vulnerabilities?
Yes — 1 Next.js CVE is in CISA's Known Exploited Vulnerabilities catalog, meaning it is confirmed exploited in the wild (1 linked to ransomware). Patch it as a priority.
What is the most severe Next.js vulnerability?
Among tracked issues, CVE-2025-55182 (CRITICAL, CVSS 10), which is actively exploited, ranks highest — a Insecure deserialization weakness.
Is Next.js safe to use?
It depends on the version. The latest supported Next.js release (16.2.9) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Next.js security status · Next.js end-of-life · actively-exploited CVEs. Always verify against Vercel's advisories — see our disclaimer.