Lucene search
+L

470 matches found

Nuclei
Nuclei
added 20 hours ago34 views

Nextjs <2.4.1 - Local File Inclusion

ZEIT Next.js before 2.4.1 is susceptible to local file inclusion via the /next and /static request namespace, allowing attackers to obtain sensitive information. id: CVE-2017-16877 info: name: Nextjs 2.4.1 - Local File Inclusion author: pikpikcu severity: high description: ZEIT Next.js before 2.4...

7.5CVSS7.4AI score0.14104EPSS
Exploits0References5
NVD
NVD
added 6 days ago6 views

CVE-2026-62327

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit th...

9.3CVSS0.00371EPSS
Exploits0References2
OSV
OSV
added 6 days ago6 views

CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit th...

9.3CVSS6.1AI score0.01905EPSS
Exploits0References5
CVE
CVE
added 6 days ago17 views

CVE-2026-59801

CVE-2026-59801 affects 9Router up to version 0.4.41 and is caused by missing authentication middleware in Next.js API routes under src/app/api/providers/*. It allows unauthenticated remote interaction with provider management endpoints, enabling enumeration, creation, modification, or deletion of...

9.8CVSS6.1AI score0.01905EPSS
Exploits0References2
Nuclei
Nuclei
added 2026/07/11 12:22 a.m.153 views

Next.js Middleware Bypass

Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2. The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted 'x-middleware-subrequest' header, which can lead to authorization bypass and other securit...

9.1CVSS6.8AI score0.99301EPSS
Exploits58References3
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.9 views

next.js: Next.js: Denial of Service via crafted POST requests to server actions

A flaw was found in Next.js. Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A remote attacker can send crafted POST requests to a server action, triggering a request-body handling deadlock. This leaves connections open,...

7.5CVSS6AI score0.00546EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.8 views

next.js: Next.js: Unauthorized access to protected content via middleware bypass

A flaw was found in Next.js. App Router applications that use middleware or proxy-based authorization checks are vulnerable to unauthorized access. A remote attacker can exploit this by crafting specific .rsc and segment-prefetch URLs, which bypass the intended middleware rules. This allows acces...

7.5CVSS5.9AI score0.01558EPSS
Exploits0References5
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.93 views

React Server Components - Remote Code Execution

React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting...

10CVSS8.7AI score0.99562EPSS
Exploits377References8
GithubExploit
GithubExploit
added 2026/06/16 1:38 a.m.200 views

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 — React2Shell Critical pre-authentication Remo...

10CVSS7.9AI score0.99562EPSS
Exploits377
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.14 views

Linux Distros Unpatched Vulnerability : CVE-2026-44575

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware...

7.5CVSS5.8AI score0.01558EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.12 views

Linux Distros Unpatched Vulnerability : CVE-2026-44577

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default imag...

5.9CVSS5.8AI score0.00722EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.13 views

Linux Distros Unpatched Vulnerability : CVE-2026-44582

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be...

3.7CVSS5.8AI score0.00203EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/06/02 11:53 p.m.24 views

CVE-2026-44578

A flaw was found in Next.js. Self-hosted applications utilizing the built-in Node.js server are vulnerable to Server-Side Request Forgery SSRF through specially crafted WebSocket upgrade requests. A remote attacker can exploit this by causing the server to proxy requests to arbitrary internal or...

8.6CVSS5.8AI score0.38872EPSS
Exploits9References4
RedhatCVE
RedhatCVE
added 2026/06/02 11:53 p.m.20 views

CVE-2026-44573

A flaw was found in Next.js. Applications utilizing the Pages Router with internationalization i18n configured and middleware or proxy-based authorization are susceptible to unauthorized access. A remote attacker can exploit this by making locale-less /next/data//.json requests, which bypass the...

7.5CVSS5.7AI score0.00606EPSS
Exploits1References4
Snyk
Snyk
added 2026/06/02 9:0 p.m.20 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
GithubExploit
GithubExploit
added 2026/06/01 5:34 a.m.160 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

NEXT-SSRF SSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next...

8.6CVSS5.8AI score0.38872EPSS
Exploits9
GithubExploit
GithubExploit
added 2026/05/15 9:2 a.m.177 views

Exploit for Server-Side Request Forgery in Vercel Next.Js

CVE-2026-44578 - Next.js WebSocket SSRF PoC Vulnerability:...

8.6CVSS5.8AI score0.38872EPSS
Exploits9
Tenable Nessus
Tenable Nessus
added 2026/05/15 12:0 a.m.59 views

Next.js Framework 15.4.x < 15.5.16 / 16.x < 16.2.5 Authorization Bypass

The Next.js Framework on the remote host is affected by an authorization bypass vulnerability: - Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. Specially crafted query parameters can alter the dynamic route value seen by the page while...

8.1CVSS5.8AI score0.00496EPSS
Exploits2References2
NVD
NVD
added 2026/05/13 6:16 p.m.31 views

CVE-2026-45109

Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6...

7.5CVSS0.00556EPSS
Exploits0References7
CVE
CVE
added 2026/05/13 5:11 p.m.86 views

CVE-2026-45109

This CVE relates to Next.js prior to fixes: from 15.2.0 to before 15.5.18 and 16.2.6, the fix for CVE-2026-44575 did not apply to middleware.ts with Turbopack. The vulnerability is fixed in Next.js versions 15.5.18 and 16.2.6. Affected software: Next.js (Next.js framework for full‑stack apps). Un...

7.5CVSS5.8AI score0.00556EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder