logo

Database

Reflected cross-site scripting (XSS) In next

Description

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Impact

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.

Fix

We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.

Workarounds

If you cannot upgrade immediately, do not pass untrusted data into beforeInteractive scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-445802. NVD-2026-445803. OSV-2026-445804. GHSA-gx5p-jg67-6x7h5. GCVE-2026-44580

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.