CVE-2026-44580— Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input
Possible ATT&CK Techniques 3AI
T1071 · Application Layer Protocol T1059 · Command and Scripting Interpreter T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44580
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input
Source: NVD (National Vulnerability Database)
Vulnerability Description
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Next.js 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Next.js是Vercel开源的一个 React 框架。 Next.js 13.0.0至15.5.16之前版本和16.2.5之前版本存在跨站脚本漏洞,该漏洞源于使用beforeInteractive脚本与不受信任内容时,序列化脚本内容未安全转义即嵌入文档,可能导致跨站脚本攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44580
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44580
请登录查看更多情报信息。
Advisory · 1
Same Patch Batch · vercel · 2026-05-13 · 13 CVEs total
| CVE-2026-44578 | 8.6 HIGH | Next.js: Server-side request forgery in applications using WebSocket upgrades |
| CVE-2026-44574 | 8.1 HIGH | Next.js: Middleware / Proxy bypass through dynamic route parameter injection |
| CVE-2026-45109 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-44579 | 7.5 HIGH | Next.js: Denial of Service via connection exhaustion in applications using Cache Component |
| CVE-2026-44575 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-44573 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in Pages Router applications using i18n |
| CVE-2026-44577 | 5.9 MEDIUM | Next.js: Denial of Service in the Image Optimization API |
| CVE-2026-44479 | 5.5 MEDIUM | Vercel: Non-interactive mode includes CLI arguments in suggested command output |
| CVE-2026-44576 | 5.4 MEDIUM | Next.js: Cache poisoning in React Server Component responses |
| CVE-2026-44581 | 4.7 MEDIUM | Next.js: Cross-site scripting in App Router applications using CSP nonces |
| CVE-2026-44572 | 3.7 LOW | Next.js: Middleware / Proxy redirects can be cache-poisoned |
| CVE-2026-44582 | 3.7 LOW | Next.js: Cache poisoning via collisions in React Server Component cache-busting |
IV. Related Vulnerabilities
Same product: next.js
- CVE-2026-45109
Next.js: Middleware / Proxy bypass in App Router application - CVE-2026-44582
Next.js: Cache poisoning via collisions in React Server Comp - CVE-2026-44581
Next.js: Cross-site scripting in App Router applications usi - CVE-2026-44579
Next.js: Denial of Service via connection exhaustion in appl - CVE-2026-44578
Next.js: Server-side request forgery in applications using W
Same vendor: vercel
- CVE-2026-8769
vercel ai provider-utils response-handler.ts createJsonError - CVE-2026-8768
vercel ai provider-utils download-blob.ts validateDownloadUr - CVE-2026-8767
vercel ai PR Branch Name Interpolation prettier-on-automerge - CVE-2026-45773
Turborepo: Login callback CSRF/session fixation - CVE-2026-46508
Turborepo: VSCode Extension command injection
Same weakness: CWE-79
- CVE-2026-3481
WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via ' - CVE-2026-7509
KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input Du - CVE-2026-6864
CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site S - CVE-2026-9104
Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-S - CVE-2026-4093
Stored XSS in Drupal 7 Term Reference Tree module (token dis
V. Comments for CVE-2026-44580
No comments yet