---
title: Next.js Security Release and Our Next Patch Release
description: Next.js is moving to a formal security release process
url: "https://nextjs.org/blog/next-security-release-program"
docs_index: /docs/llms.txt
publishedAt: July 13th 2026
authors:
  - Andrew Imm
  - Josh Story
---



We invest in security at every stage of the Next.js lifecycle, from static analysis and scanning as code is authored, through auditable package publication, to close collaboration with researchers who responsibly disclose vulnerabilities. The React2Shell exploit disclosed last December is an example of that process working as intended, and we’ve continued to mature our security program since then. As part of that process, today we are formalizing a security release program for Next.js.

The volume of vulnerability research across the industry is rising fast, driven by LLM-assisted discovery: Mozilla [recently disclosed](https://blog.mozilla.org/en/firefox/privacy-security/ai-security-zero-day-vulnerabilities/) 271 issues in a single Firefox release, all surfaced by Anthropic’s Mythos Preview. We run the same class of tooling against Next.js ourselves, through [deepsec](https://github.com/vercel-labs/deepsec), our own researchers, and an expanded bug bounty scope, so more issues reach us before they are discovered by attackers.

## A predictable release schedule

Historically, the team has published ad-hoc patches for security fixes. These were infrequent, but came with no advance notice and caused disruption for our users. **Today we are moving to a formal security release program, with updates that teams can plan around.** This kind of scheduled, pre-announced security release has become standard practice for major open source projects, and we think it’s the right model for Next.js at its current scale.

## What to expect

Here's what you can expect going forward: roughly once a month, we'll publish advance notice of upcoming security releases here on the Next.js blog. Each announcement will include the expected release timeline and the highest anticipated severity among the vulnerabilities it covers. This lead time lets you plan your upgrades, and it lets us coordinate with hosting providers and other platform partners to deploy mitigations, such as firewall rules, that help protect applications that haven’t been patched yet.

For urgent disclosures that cannot wait, or vulnerabilities that are already being exploited in the wild, we will still publish ad-hoc patches. We remain committed to securing your code as quickly as possible. Information on those ad-hoc releases will be also be shared on this blog, as we did for React2Shell and other vulnerabilities we uncovered in the follow-up investigation.

## Upcoming July release

Our first scheduled security release will target a publication on **July 20, 2026**. It will include patch releases for Next.js **16.2** and **15.5**, addressing multiple security issues. It includes fixes for 4 high and 5 medium severity vulnerabilities. We will publish a blog post containing the specifics of the update, including details of any CVEs, once the patch is available.

## Our security program

We work with a talented set of researchers to secure Next.js and other open source frameworks through [Vercel's Open Source Bug Bounty](https://hackerone.com/vercel-open-source). Anyone interested in contributing to the security of eligible frameworks is encouraged to participate there.

Any questions or concerns regarding our security programs or vulnerability management can be sent to [security@vercel.com](mailto:security@vercel.com).
