CVE-2026-44580

Description

### Impact Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. ### Fix We now HTML-escape serialized `beforeInteractive` script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary. ### Workarounds If you cannot upgrade immediately, do not pass untrusted data into `beforeInteractive` scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

Affected packages (1)

• npm/next>= 13.0.0, < 15.5.16

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44580
• PATCHhttps://github.com/vercel/next.js
• WEBhttps://github.com/vercel/next.js/releases/tag/v15.5.16
• WEBhttps://github.com/vercel/next.js/releases/tag/v16.2.5
• WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h