Nextjs <2.4.1 - Local File Inclusion

ZEIT Next.js before 2.4.1 is susceptible to local file inclusion via the /next and /static request namespace, allowing attackers to obtain sensitive information. id: CVE-2017-16877 info: name: Nextjs 2.4.1 - Local File Inclusion author: pikpikcu severity: high description: ZEIT Next.js before 2.4...

Next.js Middleware Bypass

Next.js contains a critical middleware bypass vulnerability affecting versions 11.1.4 through 15.2.2. The vulnerability allows attackers to bypass middleware security controls by sending a specially crafted 'x-middleware-subrequest' header, which can lead to authorization bypass and other securit...

React Server Components - Remote Code Execution

React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting...

Linux Distros Unpatched Vulnerability : CVE-2026-44575

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware...

Linux Distros Unpatched Vulnerability : CVE-2026-44582

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be...

Linux Distros Unpatched Vulnerability : CVE-2026-44577

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default imag...

CVE-2026-44578

A flaw was found in Next.js. Self-hosted applications utilizing the built-in Node.js server are vulnerable to Server-Side Request Forgery SSRF through specially crafted WebSocket upgrade requests. A remote attacker can exploit this by causing the server to proxy requests to arbitrary internal or...

CVE-2026-44573

A flaw was found in Next.js. Applications utilizing the Pages Router with internationalization i18n configured and middleware or proxy-based authorization are susceptible to unauthorized access. A remote attacker can exploit this by making locale-less /next/data//.json requests, which bypass the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

Exploit for Server-Side Request Forgery in Vercel Next.Js

NEXT-SSRF SSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next...

Exploit for Server-Side Request Forgery in Vercel Next.Js

CVE-2026-44578 - Next.js WebSocket SSRF PoC Vulnerability:...

Next.js Framework 15.4.x < 15.5.16 / 16.x < 16.2.5 Authorization Bypass

The Next.js Framework on the remote host is affected by an authorization bypass vulnerability: - Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. Specially crafted query parameters can alter the dynamic route value seen by the page while...

CVE-2026-45109

Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6...

CVE-2026-45109

This CVE relates to Next.js prior to fixes: from 15.2.0 to before 15.5.18 and 16.2.6, the fix for CVE-2026-44575 did not apply to middleware.ts with Turbopack. The vulnerability is fixed in Next.js versions 15.5.18 and 16.2.6. Affected software: Next.js (Next.js framework for full‑stack apps). Un...

CVE-2026-44578

CVE-2026-44578 affects Next.js self-hosted deployments using the built-in Node.js server. The issue enables server-side request forgery via crafted WebSocket upgrade requests, allowing an attacker to proxy requests to internal or external destinations and potentially expose internal services or c...

CVE-2026-44573 Next.js: Middleware / Proxy bypass in Pages Router applications using i18n

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less...

CVE-2026-44572

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...

CVE-2026-44572 Next.js: Middleware / Proxy redirects can be cache-poisoned

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...

CVE-2026-44572

Summary of CVE-2026-44572 (Next.js): Affects Next.js versions 12.2.0 to just before 15.5.16 and 16.2.5. An external client could send the x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. The middleware could treat this as a data request and replace...

CVE-2026-44572

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...