CVE-2026-45109
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix a
CVSS
7.5
Alto
EPSS
0.5%
p42
KEV
—
Exploit Today
13
0-100
Publicado: 13 may 2026 · Última mod.: 16 jul 2026 · CWE-288 · CWE-358
0.5%EPSS · 30 días0.5%
2026-06-302026-07-16
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
- github.comhttps://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34608
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37272
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:40974
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-45109
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2477190
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45109.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2024-555919.8 CRÍ99.9%
KEV—80Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability9dCVE-2025-244728.1 ALT86.2%
KEV—76Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability9dCVE-2026-445757.5 ALT71.8%
——22Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.19hCVE-2023-370579.8 CRÍ56.2%
——17An issue in JLINK Unionman Technology Co. Ltd Jlink AX1800 v.1.0 allows a remote attacker to execute arbitrary code via the router's authentication mechanism.8dCVE-2026-445138.8 ALT54.6%
——16Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the trust_remote_code gate was implemented inside DiffusionPipeline.download() rather than at the actual dynamic-module load site, so any code path that bypassed or short-circuited download() also bypassed the security check. DiffusionPipeline.from_pretrained('repoA', custom_pipeline='attacker/repoB', trust_remote_code=False) — the gate evaluated against repoA's file list rather than repoB's, so repoB's pipeline.py was loaded and executed. DiffusionPipeline.from_pretrained('/local/snapshot', custom_pipeline='attacker/repoB', trust_remote_code=False) — the local-path branch never invoked download(), so the gate was never reached and remote code from repoB executed. DiffusionPipeline.from_pretrained('/local/snapshot', trust_remote_code=False) where the snapshot contains custom component files (e.g. unet/my_unet_model.py) referenced from model_index.json — same root cause; the local path skipped download() and custom component code executed. This vulnerability is fixed in 0.38.0.2dCVE-2026-506289.8 CRÍ47.7%
——14A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this
security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.2d