EUVD-2025-26244

Malicious code in bioql PyPI...

Content Injection

Next.js is vulnerable to content injection. The vulnerability is due to attacker-controlled external image sources being able to trigger file downloads with arbitrary content and filenames under specific configurations, which allows an attacker to perform phishing or deliver malicious files...

Missing Source Correlation of Multiple Independent Data

Overview next is a react framework. Affected versions of this package are vulnerable to Missing Source Correlation of Multiple Independent Data in image-optimizer. An attacker can cause arbitrary files to be downloaded with attacker-controlled content and filenames by supplying malicious external...

GHSA-XV57-4MR9-WG8V Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious...

PT-2025-35326

Name of the Vulnerable Software and Affected Versions: Next.js versions prior to 14.2.31 Next.js versions 15.0.0 through 15.4.5 Description: Next.js Image Optimization is susceptible to content injection. Attackers controlling external image sources can trigger file downloads with arbitrary conte...