CVE-2026-44580

MEDIUM LAB

Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44580. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple CVEs in Next.js v16.2.4, including detailed write-ups, vulnerable code excerpts, and runnable exploit scripts. The PoCs cover vulnerabilities such as SSRF, XSS, DoS, and cache poisoning, with a focus on reverse-engineered security issues fixed in Next.js v16.2.5.

Description

Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional proof-of-concept exploits for multiple CVEs in Next.js v16.2.4, including detailed write-ups, vulnerable code excerpts, and runnable exploit scripts. The PoCs cover vulnerabilities such as SSRF, XSS, DoS, and cache poisoning, with a focus on reverse-engineered security issues fixed in Next.js v16.2.5.

Classification

Working Poc 95%

Attack Type

Ssrf | Xss | Dos | Auth Bypass | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059.007 - JavaScript T1189 - Drive-by Compromise T1499 - Endpoint Denial of Service T1078 - Valid Accounts T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44580_GHSA-gx5p-jg67-6x7h

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44580, a Next.js XSS vulnerability in the `next/script` component with `strategy='beforeInteractive'`. The exploit demonstrates how unescaped HTML characters in JSON-stringified props can break out of inline scripts, leading to arbitrary JavaScript execution.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Next.js < 16.2.5

No auth needed

Prerequisites: Next.js application with a page that forwards user-controlled data through `<Script strategy='beforeInteractive'>` props

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-79

Status published

Products (5)

npm/next 13.0.0 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 13.0.0 - 15.5.16

vercel/next.js >= 13.0.0, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026