CVE-2026-44580: Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

May 11, 2026 (updated May 14, 2026)

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor’s browser.

References

github.com/advisories/GHSA-gx5p-jg67-6x7h
github.com/vercel/next.js/releases/tag/v15.5.16
github.com/vercel/next.js/releases/tag/v16.2.5
github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h
nvd.nist.gov/vuln/detail/CVE-2026-44580

Code Behaviors & Features

Detect and mitigate CVE-2026-44580 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →