{"id":"GHSA-gx5p-jg67-6x7h","summary":"Next.js has cross-site scripting in beforeInteractive scripts with untrusted input","details":"### Impact\n\nApplications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.\n\n### Fix\n\nWe now HTML-escape serialized `beforeInteractive` script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.\n\n### Workarounds\n\nIf you cannot upgrade immediately, do not pass untrusted data into `beforeInteractive` scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.","aliases":["CVE-2026-44580"],"modified":"2026-05-13T03:44:29.207199067Z","published":"2026-05-11T15:56:38Z","related":["CGA-h76m-2q9m-82h7"],"database_specific":{"github_reviewed":true,"cwe_ids":["CWE-79"],"nvd_published_at":null,"github_reviewed_at":"2026-05-11T15:56:38Z","severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h"},{"type":"PACKAGE","url":"https://github.com/vercel/next.js"},{"type":"WEB","url":"https://github.com/vercel/next.js/releases/tag/v15.5.16"},{"type":"WEB","url":"https://github.com/vercel/next.js/releases/tag/v16.2.5"}],"affected":[{"package":{"name":"next","ecosystem":"npm","purl":"pkg:npm/next"},"ranges":[{"type":"SEMVER","events":[{"introduced":"13.0.0"},{"fixed":"15.5.16"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gx5p-jg67-6x7h/GHSA-gx5p-jg67-6x7h.json"}},{"package":{"name":"next","ecosystem":"npm","purl":"pkg:npm/next"},"ranges":[{"type":"SEMVER","events":[{"introduced":"16.0.0"},{"fixed":"16.2.5"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gx5p-jg67-6x7h/GHSA-gx5p-jg67-6x7h.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}