Security context
What an agent needs to avoid regressing past fixes — and find the next bug in this project.
55
Advisories
47
CVEs
Critical
Peak severity
55
With fix diff
Distribution
By severity
Critical
2
High
22
Medium
23
Low
8
By weakness class
Other
18
Denial of Service
13
Cross-site Scripting
4
Auth / Access Control
4
Improper Validation
4
SSRF
3
Path Traversal
3
Deserialization
2
Open Redirect
2
CSRF
1
Every fixed vulnerability (55)
Critical2 fixed
High22 fixed
HighNext.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-UpCVE-2026-451092mo agoHighNext.js vulnerable to Denial of Service via connection exhaustion in applications using Cache ComponentsCVE-2026-445792mo agoHighNext.js vulnerable to server-side request forgery in applications using WebSocket upgradesCVE-2026-445782mo agoHighNext.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routesCVE-2026-445752mo agoHighNext.js has a Middleware / Proxy bypass through dynamic route parameter injectionCVE-2026-445742mo agoHighNext.js has a Middleware / Proxy bypass in Pages Router applications using i18nCVE-2026-445732mo agoHighNext.js Vulnerable to Denial of Service with Server ComponentsGHSA-8h8q-6873-q5fj2mo agoHighNext.js has a Denial of Service with Server ComponentsGHSA-q4gf-8mx6-v5v33mo agoHighNext.js HTTP request deserialization can lead to DoS when using insecure React Server ComponentsGHSA-h25m-26qc-wcjf5mo agoHighNext has a Denial of Service with Server Components - Incomplete Fix Follow-UpGHSA-5j59-xgg2-r9c47mo agoHighNext Vulnerable to Denial of Service with Server ComponentsGHSA-mwv6-3258-q52c7mo agoHighNext.JS vulnerability can lead to DoS via cache poisoning CVE-2025-498261y agoHighNext.js authorization bypass vulnerabilityCVE-2024-514791y agoHighNext.js Cache PoisoningCVE-2024-469821y agoHighNext.js Denial of Service (DoS) conditionCVE-2024-396932y agoHighNext.js Server-Side Request Forgery in Server ActionsCVE-2024-343512y agoHighNext.js Vulnerable to HTTP Request SmugglingCVE-2024-343502y agoHighUnexpected server crash in Next.js.CVE-2021-438034y agoHighXSS in Image Optimization API for Next.jsCVE-2021-391784y agoHighRemote Code Execution in nextGHSA-5vj8-3v2h-h38v5y agoHighDirectory traversal vulnerability in Next.jsCVE-2018-61848y agoHighNext.js Directory Traversal VulnerabilityCVE-2017-168778y ago
Medium23 fixed
MediumNext.js vulnerable to cross-site scripting in App Router applications using CSP noncesCVE-2026-445812mo agoMediumNext.js has cross-site scripting in beforeInteractive scripts with untrusted inputCVE-2026-445802mo agoMediumNext.js has a Denial of Service in the Image Optimization APICVE-2026-445772mo agoMediumNext.js vulnerable to cache poisoning in React Server Component responsesCVE-2026-445762mo agoMediumNext.js: HTTP request smuggling in rewritesCVE-2026-290574mo agoMediumNext.js: Unbounded next/image disk cache growth can exhaust storageCVE-2026-279804mo agoMediumNext.js: Unbounded postponed resume buffering can lead to DoSCVE-2026-279794mo agoMediumNext.js: null origin can bypass Server Actions CSRF checksCVE-2026-279784mo agoMediumNext.js has Unbounded Memory Consumption via PPR Resume Endpoint CVE-2025-594725mo agoMediumNext.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configurationCVE-2025-594715mo agoMediumNext Server Actions Source Code Exposure GHSA-w37m-7fhw-fmv97mo agoMediumNext.js Affected by Cache Key Confusion for Image Optimization API RoutesCVE-2025-5775210mo agoMediumNext.js Content Injection Vulnerability for Image OptimizationCVE-2025-5517310mo agoMediumNext.js Improper Middleware Redirect Handling Leads to SSRFCVE-2025-5782210mo agoMediumNext.js Allows a Denial of Service (DoS) with Server ActionsCVE-2024-563321y agoMediumDenial of Service condition in Next.js image optimizationCVE-2024-478311y agoMediumUnexpected server crash in Next.jsCVE-2022-360463y agoMediumImproper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0CVE-2022-236464y agoMediumDenial of Service Vulnerability in next.jsCVE-2022-217214y agoMediumOpen Redirect in Next.jsCVE-2021-376994y agoMediumOpen Redirect in Next.js versionsCVE-2020-152425y agoMediumDirectory Traversal in Next.jsCVE-2020-52846y agoMediumNext.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error pageCVE-2018-182827y ago
Low8 fixed
LowNext.js's Middleware / Proxy redirects can be cache-poisonedCVE-2026-445722mo agoLowNext.js vulnerable to cache poisoning via collisions in React Server Component cache-bustingCVE-2026-445822mo agoLowNext.js: null origin can bypass dev HMR websocket CSRF checksCVE-2026-279774mo agoLowNext.js has a Cache poisoning vulnerability due to omission of the Vary headerCVE-2025-490051y agoLowInformation exposure in Next.js dev server due to lack of origin verificationCVE-2025-480681y agoLowNext.js Race Condition to Cache PoisoningCVE-2025-324211y agoLowNext.js may leak x-middleware-subrequest-id to external hostsCVE-2025-302181y agoLowNext.js missing cache-control header may lead to CDN caching empty replyCVE-2023-462982y ago