| 0 |
| url |
VCID-29qk-jgck-2kb2 |
| vulnerability_id |
VCID-29qk-jgck-2kb2 |
| summary |
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59471 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.13005 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.13027 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12923 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.13017 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59471 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.5.10 |
| purl |
pkg:npm/next@15.5.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 11 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 12 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 13 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 14 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 15 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10 |
|
| 1 |
| url |
pkg:npm/next@16.1.5 |
| purl |
pkg:npm/next@16.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 13 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 14 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 15 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 16 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 17 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 18 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5 |
|
|
| aliases |
CVE-2025-59471, GHSA-9g9p-9gw9-jx7f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-29qk-jgck-2kb2 |
|
| 1 |
| url |
VCID-2rsy-25vf-cufu |
| vulnerability_id |
VCID-2rsy-25vf-cufu |
| summary |
Next.js is vulnerable to RCE in React flight protocol |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.0.5 |
| purl |
pkg:npm/next@15.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.5 |
|
| 1 |
| url |
pkg:npm/next@15.1.9 |
| purl |
pkg:npm/next@15.1.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.9 |
|
| 2 |
| url |
pkg:npm/next@15.2.6 |
| purl |
pkg:npm/next@15.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 12 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 15 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 16 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 17 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 18 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.6 |
|
| 3 |
| url |
pkg:npm/next@15.3.6 |
| purl |
pkg:npm/next@15.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 12 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 15 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 16 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 17 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 18 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.6 |
|
| 4 |
| url |
pkg:npm/next@15.4.8 |
| purl |
pkg:npm/next@15.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 12 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 15 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 16 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 17 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 18 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 19 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.8 |
|
| 5 |
| url |
pkg:npm/next@15.5.7 |
| purl |
pkg:npm/next@15.5.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 12 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 15 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 16 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 17 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 18 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 19 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.7 |
|
| 6 |
|
| 7 |
| url |
pkg:npm/next@16.0.7 |
| purl |
pkg:npm/next@16.0.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 13 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 14 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 15 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 16 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 17 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 18 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 19 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.7 |
|
| 8 |
| url |
pkg:npm/next@16.1.0-canary.0 |
| purl |
pkg:npm/next@16.1.0-canary.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 4 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 13 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 14 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 15 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 16 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 17 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 18 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 19 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.0 |
|
|
| aliases |
CVE-2025-66478, GHSA-9qr9-h5gf-34mp
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2rsy-25vf-cufu |
|
| 2 |
| url |
VCID-2wxy-d9mx-u7du |
| vulnerability_id |
VCID-2wxy-d9mx-u7du |
| summary |
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44573 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16886 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16723 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16872 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18271 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44573 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44573, GHSA-36qx-fr4f-26g5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2wxy-d9mx-u7du |
|
| 3 |
| url |
VCID-4kgz-73xy-xyb2 |
| vulnerability_id |
VCID-4kgz-73xy-xyb2 |
| summary |
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44580 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01923 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01918 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01922 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02425 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44580 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44580, GHSA-gx5p-jg67-6x7h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4kgz-73xy-xyb2 |
|
| 4 |
| url |
VCID-51mc-n64v-nugj |
| vulnerability_id |
VCID-51mc-n64v-nugj |
| summary |
Next Server Actions Source Code Exposure |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.0.6 |
| purl |
pkg:npm/next@15.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 11 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 12 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 13 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 14 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 15 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.6 |
|
| 1 |
| url |
pkg:npm/next@15.1.0 |
| purl |
pkg:npm/next@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 11 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 12 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 13 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 14 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 17 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 18 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 19 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 20 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 21 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 22 |
| vulnerability |
VCID-zrw8-shww-mqe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.0 |
|
| 2 |
| url |
pkg:npm/next@15.1.10 |
| purl |
pkg:npm/next@15.1.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 11 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 12 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 13 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 14 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 15 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.10 |
|
| 3 |
| url |
pkg:npm/next@15.2.7 |
| purl |
pkg:npm/next@15.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 17 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.7 |
|
| 4 |
| url |
pkg:npm/next@15.3.7 |
| purl |
pkg:npm/next@15.3.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 17 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7 |
|
| 5 |
| url |
pkg:npm/next@15.4.9 |
| purl |
pkg:npm/next@15.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 18 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.9 |
|
| 6 |
| url |
pkg:npm/next@15.5.0 |
| purl |
pkg:npm/next@15.5.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.0 |
|
| 7 |
| url |
pkg:npm/next@15.5.8 |
| purl |
pkg:npm/next@15.5.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 18 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.8 |
|
| 8 |
|
| 9 |
| url |
pkg:npm/next@16.0.9 |
| purl |
pkg:npm/next@16.0.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 17 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 18 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 19 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 20 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 21 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 22 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9 |
|
| 10 |
| url |
pkg:npm/next@16.1.0-canary.17 |
| purl |
pkg:npm/next@16.1.0-canary.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 17 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 18 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 19 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 20 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 21 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 22 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17 |
|
|
| aliases |
GHSA-w37m-7fhw-fmv9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-51mc-n64v-nugj |
|
| 5 |
| url |
VCID-6r5c-d48p-9qa4 |
| vulnerability_id |
VCID-6r5c-d48p-9qa4 |
| summary |
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44576 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03944 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03936 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03954 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0472 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44576 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44576, GHSA-wfc6-r584-vfw7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6r5c-d48p-9qa4 |
|
| 6 |
| url |
VCID-93c9-up9w-5fdv |
| vulnerability_id |
VCID-93c9-up9w-5fdv |
| summary |
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44577 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.05048 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.05058 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.05061 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05727 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44577 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44577, GHSA-h64f-5h5j-jqjh
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-93c9-up9w-5fdv |
|
| 7 |
| url |
VCID-b2hu-vcgt-7ydr |
| vulnerability_id |
VCID-b2hu-vcgt-7ydr |
| summary |
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44582 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01269 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
9e-05 |
| scoring_system |
epss |
| scoring_elements |
0.01081 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
9e-05 |
| scoring_system |
epss |
| scoring_elements |
0.01077 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
9e-05 |
| scoring_system |
epss |
| scoring_elements |
0.01075 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44582 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44582, GHSA-vfv6-92ff-j949
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b2hu-vcgt-7ydr |
|
| 8 |
| url |
VCID-bjvd-79eg-17f3 |
| vulnerability_id |
VCID-bjvd-79eg-17f3 |
| summary |
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-29057 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.09488 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.09477 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.09495 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00031 |
| scoring_system |
epss |
| scoring_elements |
0.0944 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-29057 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.5.13 |
| purl |
pkg:npm/next@15.5.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 8 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 9 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 10 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 11 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 12 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 13 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 14 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.13 |
|
| 1 |
| url |
pkg:npm/next@16.1.7 |
| purl |
pkg:npm/next@16.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 8 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 9 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 10 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 11 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 12 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 13 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7 |
|
|
| aliases |
CVE-2026-29057, GHSA-ggv3-7p47-pfv8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bjvd-79eg-17f3 |
|
| 9 |
| url |
VCID-c9sc-ajq2-pyda |
| vulnerability_id |
VCID-c9sc-ajq2-pyda |
| summary |
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.0.8 |
| purl |
pkg:npm/next@15.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 9 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 10 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 11 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 12 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 13 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.8 |
|
| 1 |
| url |
pkg:npm/next@15.1.12 |
| purl |
pkg:npm/next@15.1.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 9 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 10 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 11 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 12 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 13 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.12 |
|
| 2 |
| url |
pkg:npm/next@15.2.9 |
| purl |
pkg:npm/next@15.2.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 10 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 11 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 12 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 13 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 14 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 15 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.9 |
|
| 3 |
| url |
pkg:npm/next@15.3.9 |
| purl |
pkg:npm/next@15.3.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 10 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 11 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 12 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 13 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 14 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 15 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.9 |
|
| 4 |
| url |
pkg:npm/next@15.4.11 |
| purl |
pkg:npm/next@15.4.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 10 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 11 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 12 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.11 |
|
| 5 |
| url |
pkg:npm/next@15.5.10 |
| purl |
pkg:npm/next@15.5.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 11 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 12 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 13 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 14 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 15 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10 |
|
| 6 |
|
| 7 |
| url |
pkg:npm/next@16.0.11 |
| purl |
pkg:npm/next@16.0.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 11 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 12 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 13 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 14 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 15 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 16 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 17 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 18 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 19 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 20 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.11 |
|
| 8 |
| url |
pkg:npm/next@16.1.5 |
| purl |
pkg:npm/next@16.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 13 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 14 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 15 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 16 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 17 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 18 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5 |
|
|
| aliases |
GHSA-h25m-26qc-wcjf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c9sc-ajq2-pyda |
|
| 10 |
| url |
VCID-gm62-hv3y-v7b8 |
| vulnerability_id |
VCID-gm62-hv3y-v7b8 |
| summary |
Next Vulnerable to Denial of Service with Server Components |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.0.6 |
| purl |
pkg:npm/next@15.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 11 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 12 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 13 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 14 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 15 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.6 |
|
| 1 |
| url |
pkg:npm/next@15.1.0 |
| purl |
pkg:npm/next@15.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 11 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 12 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 13 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 14 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 17 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 18 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 19 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 20 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 21 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 22 |
| vulnerability |
VCID-zrw8-shww-mqe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.0 |
|
| 2 |
| url |
pkg:npm/next@15.1.10 |
| purl |
pkg:npm/next@15.1.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 8 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 9 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 10 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 11 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 12 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 13 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 14 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 15 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.10 |
|
| 3 |
| url |
pkg:npm/next@15.2.7 |
| purl |
pkg:npm/next@15.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 17 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.7 |
|
| 4 |
| url |
pkg:npm/next@15.3.7 |
| purl |
pkg:npm/next@15.3.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 14 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 15 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 16 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 17 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7 |
|
| 5 |
| url |
pkg:npm/next@15.4.9 |
| purl |
pkg:npm/next@15.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 18 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.9 |
|
| 6 |
| url |
pkg:npm/next@15.5.0 |
| purl |
pkg:npm/next@15.5.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.0 |
|
| 7 |
| url |
pkg:npm/next@15.5.8 |
| purl |
pkg:npm/next@15.5.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 13 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 18 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.8 |
|
| 8 |
|
| 9 |
| url |
pkg:npm/next@16.0.9 |
| purl |
pkg:npm/next@16.0.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 17 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 18 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 19 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 20 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 21 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 22 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9 |
|
| 10 |
| url |
pkg:npm/next@16.1.0-canary.17 |
| purl |
pkg:npm/next@16.1.0-canary.17 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 2 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 3 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 4 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 14 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-v7dq-7t8n-j7b5 |
|
| 17 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 18 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 19 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 20 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 21 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 22 |
| vulnerability |
VCID-zuh1-7568-nbg3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17 |
|
|
| aliases |
GHSA-mwv6-3258-q52c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gm62-hv3y-v7b8 |
|
| 11 |
| url |
VCID-haxf-nay6-v3hg |
| vulnerability_id |
VCID-haxf-nay6-v3hg |
| summary |
Next.js has a Denial of Service with Server Components
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.5.15 |
| purl |
pkg:npm/next@15.5.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 8 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 9 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 10 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 11 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 12 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.15 |
|
| 1 |
| url |
pkg:npm/next@16.2.3 |
| purl |
pkg:npm/next@16.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 8 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 9 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 10 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 11 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 12 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.2.3 |
|
|
| aliases |
GHSA-q4gf-8mx6-v5v3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-haxf-nay6-v3hg |
|
| 12 |
| url |
VCID-t6n1-e9kc-hqgx |
| vulnerability_id |
VCID-t6n1-e9kc-hqgx |
| summary |
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.4.7 |
| purl |
pkg:npm/next@15.4.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 17 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 18 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 19 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 20 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.7 |
|
|
| aliases |
CVE-2025-57822, GHSA-4342-x723-ch2f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t6n1-e9kc-hqgx |
|
| 13 |
| url |
VCID-uqrk-gg9y-5bfz |
| vulnerability_id |
VCID-uqrk-gg9y-5bfz |
| summary |
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-27980 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06888 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06862 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06876 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00023 |
| scoring_system |
epss |
| scoring_elements |
0.06863 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-27980 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.5.14 |
| purl |
pkg:npm/next@15.5.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 8 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 9 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 10 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 11 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 12 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 13 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.14 |
|
| 1 |
|
| 2 |
| url |
pkg:npm/next@16.1.7 |
| purl |
pkg:npm/next@16.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 3 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 4 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 5 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 6 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 7 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 8 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 9 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 10 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 11 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 12 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 13 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7 |
|
|
| aliases |
CVE-2026-27980, GHSA-3x4c-7xq6-9pq8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uqrk-gg9y-5bfz |
|
| 14 |
| url |
VCID-v7dq-7t8n-j7b5 |
| vulnerability_id |
VCID-v7dq-7t8n-j7b5 |
| summary |
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.
2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.
Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59472 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.35484 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.35501 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.35299 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.0015 |
| scoring_system |
epss |
| scoring_elements |
0.35478 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59472 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/next@15.0.0-rc.0 |
| purl |
pkg:npm/next@15.0.0-rc.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 6 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 10 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 13 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 14 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 15 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 16 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 17 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.0-rc.0 |
|
| 1 |
| url |
pkg:npm/next@15.0.1 |
| purl |
pkg:npm/next@15.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 12 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 13 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 14 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.1 |
|
| 2 |
| url |
pkg:npm/next@15.0.2 |
| purl |
pkg:npm/next@15.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 12 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 13 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 14 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.2 |
|
| 3 |
| url |
pkg:npm/next@15.0.3 |
| purl |
pkg:npm/next@15.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 12 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 13 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 14 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.3 |
|
| 4 |
| url |
pkg:npm/next@15.0.4 |
| purl |
pkg:npm/next@15.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 12 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 13 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 14 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 25 |
| vulnerability |
VCID-zrw8-shww-mqe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.4 |
|
| 5 |
| url |
pkg:npm/next@15.1.1 |
| purl |
pkg:npm/next@15.1.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 9 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 10 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 11 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 12 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 13 |
| vulnerability |
VCID-jgpv-ueke-37gf |
|
| 14 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xz2s-8drg-8bam |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
| 25 |
| vulnerability |
VCID-zrw8-shww-mqe4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.1 |
|
| 6 |
| url |
pkg:npm/next@15.2.0 |
| purl |
pkg:npm/next@15.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 16 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 17 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 18 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 19 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 20 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 21 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.0 |
|
| 7 |
| url |
pkg:npm/next@15.2.1 |
| purl |
pkg:npm/next@15.2.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-mv21-m5nh-vygs |
|
| 16 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 17 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 18 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 19 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 20 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 21 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 22 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 23 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 24 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.1 |
|
| 8 |
| url |
pkg:npm/next@15.2.2 |
| purl |
pkg:npm/next@15.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-s5uv-nxf7-rkbj |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.2 |
|
| 9 |
| url |
pkg:npm/next@15.3.0 |
| purl |
pkg:npm/next@15.3.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-6u6c-nuys-c3a3 |
|
| 8 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 9 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 10 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 11 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 12 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 13 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 14 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 15 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 16 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.0 |
|
| 10 |
| url |
pkg:npm/next@15.3.1 |
| purl |
pkg:npm/next@15.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-6u6c-nuys-c3a3 |
|
| 8 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 9 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 10 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 11 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 12 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 13 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 14 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 15 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 16 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 17 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 18 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.1 |
|
| 11 |
| url |
pkg:npm/next@15.4.0 |
| purl |
pkg:npm/next@15.4.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 17 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 18 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.0 |
|
| 12 |
| url |
pkg:npm/next@15.4.2 |
| purl |
pkg:npm/next@15.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-p7a7-ehjr-xqf3 |
|
| 16 |
| vulnerability |
VCID-t6n1-e9kc-hqgx |
|
| 17 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 18 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 19 |
| vulnerability |
VCID-wdsq-y8uf-2feh |
|
| 20 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 21 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 22 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 23 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.2 |
|
| 13 |
| url |
pkg:npm/next@15.5.1 |
| purl |
pkg:npm/next@15.5.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-29qk-jgck-2kb2 |
|
| 1 |
| vulnerability |
VCID-2rsy-25vf-cufu |
|
| 2 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 3 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 4 |
| vulnerability |
VCID-51mc-n64v-nugj |
|
| 5 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 6 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 7 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 8 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 9 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 10 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 11 |
| vulnerability |
VCID-c9sc-ajq2-pyda |
|
| 12 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 13 |
| vulnerability |
VCID-gm62-hv3y-v7b8 |
|
| 14 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 15 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 16 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 17 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 18 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 19 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 20 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.1 |
|
| 14 |
|
| 15 |
| url |
pkg:npm/next@16.1.5 |
| purl |
pkg:npm/next@16.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2wxy-d9mx-u7du |
|
| 1 |
| vulnerability |
VCID-4kgz-73xy-xyb2 |
|
| 2 |
| vulnerability |
VCID-51r9-nmc2-tyc7 |
|
| 3 |
| vulnerability |
VCID-5ehn-67ys-73h1 |
|
| 4 |
| vulnerability |
VCID-6r5c-d48p-9qa4 |
|
| 5 |
| vulnerability |
VCID-93c9-up9w-5fdv |
|
| 6 |
| vulnerability |
VCID-9r3b-phvp-xfck |
|
| 7 |
| vulnerability |
VCID-b2hu-vcgt-7ydr |
|
| 8 |
| vulnerability |
VCID-bjvd-79eg-17f3 |
|
| 9 |
| vulnerability |
VCID-chsk-ka34-yqaf |
|
| 10 |
| vulnerability |
VCID-gh18-cr6c-47hm |
|
| 11 |
| vulnerability |
VCID-haxf-nay6-v3hg |
|
| 12 |
| vulnerability |
VCID-qptg-e7c6-puhs |
|
| 13 |
| vulnerability |
VCID-uqrk-gg9y-5bfz |
|
| 14 |
| vulnerability |
VCID-w4pk-pmxb-c7fr |
|
| 15 |
| vulnerability |
VCID-wgv6-ermy-yycy |
|
| 16 |
| vulnerability |
VCID-xzrf-tsxp-hqeg |
|
| 17 |
| vulnerability |
VCID-yddv-cunp-yyd7 |
|
| 18 |
| vulnerability |
VCID-zrny-u44x-3fh1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5 |
|
|
| aliases |
CVE-2025-59472, GHSA-5f7q-jpqc-wp7h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v7dq-7t8n-j7b5 |
|
| 15 |
| url |
VCID-wgv6-ermy-yycy |
| vulnerability_id |
VCID-wgv6-ermy-yycy |
| summary |
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44581 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0146 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01451 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01454 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01786 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44581 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44581, GHSA-ffhc-5mcf-pf4q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wgv6-ermy-yycy |
|
| 16 |
| url |
VCID-xzrf-tsxp-hqeg |
| vulnerability_id |
VCID-xzrf-tsxp-hqeg |
| summary |
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-44572, GHSA-3g8h-86w9-wvmq
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xzrf-tsxp-hqeg |
|
| 17 |
| url |
VCID-yddv-cunp-yyd7 |
| vulnerability_id |
VCID-yddv-cunp-yyd7 |
| summary |
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44578 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.07215 |
| scoring_system |
epss |
| scoring_elements |
0.91838 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.07215 |
| scoring_system |
epss |
| scoring_elements |
0.91801 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.07215 |
| scoring_system |
epss |
| scoring_elements |
0.91829 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.07797 |
| scoring_system |
epss |
| scoring_elements |
0.92193 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-44578 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44578, GHSA-c4j6-fc7j-m34r
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yddv-cunp-yyd7 |
|
| 18 |
| url |
VCID-zrny-u44x-3fh1 |
| vulnerability_id |
VCID-zrny-u44x-3fh1 |
| summary |
Next.js Vulnerable to Denial of Service with Server Components
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23870](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh).
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-8h8q-6873-q5fj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zrny-u44x-3fh1 |
|