CVE-2026-44580 MEDIUM

CVE-2026-44580: Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input

Vendor Vercel
Product next.js
Weakness CWE-79 · XSS
Published May 13, 2026
Last update May 13, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-24688 WordPress WP Mailster Plugin <= 1.8.20.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-7662 ePaperFlip Publisher <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'publicationid' Shortcode Attribute CVE-2024-26278 [20240705] - Core - XSS in com_fields default field value CVE-2025-3692 SourceCodester Online Eyewear Shop Master.php cross site scripting CVE-2026-53427 Cross-site scripting in MDEx via unescaped highlight_lines_class code-fence attribute