Next.js has launched a monthly security release program, with the first update scheduled for July 20, 2026. This update will address nine vulnerabilities across supported versions of the framework.
The initial release will provide patch updates for Next.js versions 16.2 and 15.5. According to the Next.js team, this update will fix four high-severity vulnerabilities and five medium-severity ones.
Detailed technical information, including CVE identifiers and remediation guidance, will be shared after the patches are released. This new program replaces the framework’s historically ad-hoc approach to security updates.
While emergency patches will still be issued immediately for actively exploited vulnerabilities or urgent issues, the new monthly schedule aims to give development and security teams advance notice for planning upgrades.
Next.js Monthly Security Release Program
Next.js plans to publish monthly pre-release announcements outlining the expected patch timeline and the highest anticipated severity of vulnerabilities included in each scheduled release.
This approach will also give hosting providers, cloud platforms, and other ecosystem partners time to deploy temporary mitigations such as web application firewall (WAF) rules before organizations implement the upgrades.
This development follows a trend in which security researchers increasingly use large language models to efficiently identify software flaws.
Next.js cited recent industry findings, including Mozilla’s report of 271 vulnerabilities in Firefox discovered using Anthropic’s Mythos Preview, highlighting the growing volume of vulnerability research.
The team said it uses similar techniques internally with DeepSec, an open-source security research tool maintained by Vercel Labs, alongside internal researchers and an expanded bug bounty program to identify and fix weaknesses before attackers can exploit them.
Next.js emphasized that its security practices encompass the entire software development lifecycle, including static analysis during development, controls over package publication, and coordination with external researchers on responsible disclosure.
They referenced the React2Shell exploit disclosed in December as an example of their established incident response and vulnerability management processes.
Developers using Next.js versions 16.2 or 15.5 should monitor the July 2026 advisory and prepare to apply the corresponding patch release promptly.
Organizations are also advised to review their deployment controls, including WAF protections, dependency management processes, and upgrade testing workflows.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

