cbcvebase.
CVE-2026-44580
published 2026-05-13

CVE-2026-44580: Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive…

PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.21%
10.6th percentile
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.

Affected

12 ranges
VendorProductVersion rangeFixed in
nextnext
nextnext>= 13.0.0 < 15.5.1615.5.16
nextnext>= 16.0.0 < 16.2.516.2.5
rhelai3bootc-cuda-rhel9
rhelai3bootc-gaudi-rhel9
rhelai3bootc-rocm-rhel9
rhelai3disk-image-cuda-rhel9
rhtasrekor-search-ui-rhel9
vercelnext.js
vercelnext.js
vercelnext.js>= 13.0.0 < 15.5.1615.5.16
vercelnext.js>= 16.0.0 < 16.2.516.2.5

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.