Skip to main content

Next.js CVE-2026-44580

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/vercel/next.js GHSA-gx5p-jg67-6x7h
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:17 vuln.today
Analysis Generated
May 11, 2026 - 16:17 vuln.today
CVE Published
May 11, 2026 - 15:56 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 npm packages depend on next (15 direct, 1 indirect)

Ecosystem-wide dependent count for version 13.0.0.

DescriptionGitHub Advisory

Impact

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.

Fix

We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.

Workarounds

If you cannot upgrade immediately, do not pass untrusted data into beforeInteractive scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

AnalysisAI

Cross-site scripting in Next.js beforeInteractive scripts allows remote unauthenticated attackers to execute arbitrary JavaScript in visitor browsers when applications pass untrusted content to beforeInteractive script features. The vulnerability arises from insufficient HTML escaping of serialized script content before embedding into the document, enabling attackers to break out of the script context. Affected versions include 13.0.0 through 15.5.15 and 16.0.0 through 16.2.4; patched versions 15.5.16 and 16.2.5 are available. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS score of 6.1 reflects moderate risk with required user interaction.

Technical ContextAI

Next.js is a React framework that provides the beforeInteractive script feature for executing JavaScript in the page head before React hydration. The vulnerability exists in how Next.js serializes and embeds beforeInteractive script content into the HTML document. When application code passes untrusted user input (such as from database queries, API responses, or URL parameters) directly into beforeInteractive script payloads, the framework failed to properly HTML-escape the content before inserting it into inline script tags. This is a classic DOM-based XSS vulnerability (CWE-79) where unsafe string concatenation allows malicious input containing script delimiters or JavaScript syntax to escape the intended script context and execute arbitrary code in the visitor's browser. The vulnerability is specific to the beforeInteractive feature and does not affect other Next.js script loading mechanisms that properly handle content sanitization.

RemediationAI

Upgrade Next.js to version 15.5.16 or later for the 15.x branch, or version 16.2.5 or later for the 16.x branch. These versions implement HTML-escaping of serialized beforeInteractive script content, preventing attacker-controlled input from breaking out of the script boundary. The upgrade can be performed via npm update next or by modifying package.json and reinstalling dependencies. If immediate upgrade is not feasible, implement the following compensating controls with noted trade-offs: (1) Do not pass untrusted data (user input, database-sourced content, or API responses) directly into beforeInteractive script features - this is the primary mitigation and involves code review of all beforeInteractive usage; (2) If passing dynamic content to beforeInteractive is unavoidable, manually HTML-escape all untrusted input using libraries like he or xss before embedding, though this shifts responsibility to developers and increases risk of escape failures; (3) Implement Content Security Policy (CSP) with script-src restrictions to limit the impact of successfully injected scripts, though CSP does not prevent inline script execution without nonce or hash whitelisting, which Next.js may not support for dynamically-generated beforeInteractive scripts. Vercel recommends immediate patching as the primary remediation path.

Vendor StatusVendor

Share

CVE-2026-44580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy