CVE-2026-44580
published 2026-05-13CVE-2026-44580: Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.21%
10.6th percentile
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | — | — |
| next | next | >= 13.0.0 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.0.0 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vercel next.js up to 15.5.15/16.2.4 cross site scripting (GHSA-gx5p-jg67-6x7h)
vuldb·2026-05-13·CVSS 6.1
CVE-2026-44580 [MEDIUM] vercel next.js up to 15.5.15/16.2.4 cross site scripting (GHSA-gx5p-jg67-6x7h)
A vulnerability was found in vercel next.js up to 15.5.15/16.2.4 and classified as problematic. Affected by this vulnerability is an unknown functionality. Executing a manipulation can lead to cross site scripting.
This vulnerability is tracked as CVE-2026-44580. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
ghsa·2026-05-11
CVE-2026-44580 [MEDIUM] CWE-79 Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
### Impact
Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.
### Fix
We now HTML-escape serialized `beforeInteractive` script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.
### Workarounds
If you cannot upgrade immediately, do not pass untrusted data into `beforeInteractive` scripts. If that pa
Red Hat
next.js: Next.js: Cross-site scripting allows arbitrary code execution via untrusted script content
vendor_redhat·2026-05-13·CVSS 6.1
CVE-2026-44580 [MEDIUM] CWE-79 next.js: Next.js: Cross-site scripting allows arbitrary code execution via untrusted script content
next.js: Next.js: Cross-site scripting allows arbitrary code execution via untrusted script content
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.
A flaw was found in Next.js. A remote attacker could exploit this cross-site scripting (XSS) vulnerability by injecting untrusted content into `beforeInte
No detection rules found.
No public exploits indexed.
2026-05-13
Published