GHSA-gx5p-jg67-6x7h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gx5p-jg67-6x7h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-gx5p-jg67-6x7h/GHSA-gx5p-jg67-6x7h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gx5p-jg67-6x7h
- Aliases
-
- CVE-2026-44580
- Published
- 2026-05-11T15:56:38Z
- Modified
- 2026-05-11T16:06:48.762217Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
- Details
-
Impact
Applications that use
beforeInteractivescripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.Fix
We now HTML-escape serialized
beforeInteractivescript content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.Workarounds
If you cannot upgrade immediately, do not pass untrusted data into
beforeInteractivescripts. If that pattern is unavoidable, sanitize or escape the content before embedding it. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T15:56:38Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "nvd_published_at": null }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next