CVE-2026-44580

Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vercel
Product	next.js
Versions	Version >= 13.0.0, < 15.5.16 is affected Version >= 16.0.0, < 16.2.5 is affected

Vendor

vercel

Product

next.js

Versions

Version >= 13.0.0, < 15.5.16 is affected
Version >= 16.0.0, < 16.2.5 is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

CVE-2026-44580 PUBLISHED

Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input

Metrics

Product Status

References

Problem Types