CVE-2026-44580

Name of the Vulnerable Software and Affected Versions Next.js versions 13.0.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description Applications using beforeInteractive scripts combined with untrusted content are susceptible to cross-site scripting (XSS), a flaw where malicious scripts are injected into trusted websites. Serialized script content was not safely escaped before being embedded into the document, allowing attacker-controlled input to exit the intended script context and execute arbitrary JavaScript in the visitor's browser.

Recommendations Update to version 15.5.16. Update to version 16.2.5. Avoid passing untrusted data into beforeInteractive scripts. Sanitize or escape content before embedding it if using untrusted data in beforeInteractive scripts is unavoidable.