CVE-2026-44580

Published May 13, 2026

Last updated 14 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-44580 describes a cross-site scripting (XSS) vulnerability found in Next.js. This flaw specifically impacts applications that utilize `beforeInteractive` scripts in conjunction with untrusted input. The root cause lies in the improper handling of serialized script content, which was not safely escaped before being embedded into the document. This oversight allowed attacker-controlled input to escape the intended script context, potentially leading to the execution of arbitrary JavaScript code within a user's browser. The vulnerability is addressed by HTML-escaping the serialized `beforeInteractive` script content, thereby preventing malicious input from breaking out of the inline script boundary.

Description: Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.
Source: security-advisories@github.com
NVD status: Analyzed
Products: next.js

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-79

Hype score: Not currently trending

Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy
@Psycho10k_
11 May 2026
1975 Impressions
8 Retweets
43 Likes
28 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "38F6033B-EE4D-4FA6-8C47-0A11A6870E85",
            "versionEndExcluding": "15.5.16",
            "versionStartIncluding": "13.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A",
            "versionEndExcluding": "16.2.5",
            "versionStartIncluding": "16.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.