CVE-2026-44580
Cross-Site Scripting vulnerability in next (npm)
What is CVE-2026-44580 About?
Applications using `beforeInteractive` scripts with untrusted content are vulnerable to Cross-Site Scripting (XSS). This flaw occurs because serialized script content is not safely escaped before being embedded into the document, allowing attacker-controlled input to execute arbitrary JavaScript. Exploitation requires the ability to inject untrusted data into `beforeInteractive` scripts.
Affected Software
- next
- >=16.0.0, <16.2.5
- >=13.0.0, <15.5.16
Technical Details
The vulnerability manifests in applications that utilize beforeInteractive scripts in conjunction with untrusted content. Specifically, the issue arises because serialized script content is not properly HTML-escaped before it is embedded directly into the HTML document. This oversight creates an injection point where attacker-controlled input within these scripts can 'break out' of the intended script context. Once outside, the attacker can execute arbitrary JavaScript code within a visitor's browser, leading to a Cross-Site Scripting (XSS) attack. This allows for session hijacking, defacement, or other client-side malicious activities.
What is the Impact of CVE-2026-44580?
Successful exploitation may allow attackers to execute arbitrary JavaScript in a user's browser, leading to session hijacking, defacement, data theft, or redirection to malicious sites.
What is the Exploitability of CVE-2026-44580?
Exploitation requires the ability to inject untrusted data into beforeInteractive scripts. This is typically a remote attack, but authentication and privilege requirements depend on how untrusted data enters the script context. The complexity is moderate, as it involves crafting input that can escape the script context. Risk factors include applications that dynamically generate beforeInteractive scripts based on user input, or applications that fail to sanitize such input properly before embedding. The lack of proper escaping is the direct cause, making thorough sanitization or upgrading essential.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44580?
Available Upgrade Options
- next
- >=13.0.0, <15.5.16 → Upgrade to 15.5.16
- next
- >=16.0.0, <16.2.5 → Upgrade to 16.2.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-44580?
Similar Vulnerabilities: CVE-2023-45819 , CVE-2023-28155 , CVE-2023-38407 , CVE-2022-42962 , CVE-2021-39281
