next

Unexpected server crash in Next.js.

Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

Authorization Bypass in Next.js Middleware

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Next.js has a Denial of Service with Server Components

Unexpected server crash in Next.js

Open Redirect in Next.js versions

Denial of Service Vulnerability in next.js

Denial of Service condition in Next.js image optimization

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

Next.js: Unbounded next/image disk cache growth can exhaust storage

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

Next.js Allows a Denial of Service (DoS) with Server Actions

Open Redirect in Next.js

Next.js missing cache-control header may lead to CDN caching empty reply

Next.js: null origin can bypass dev HMR websocket CSRF checks

Next.js: HTTP request smuggling in rewrites

Next.js Server-Side Request Forgery in Server Actions

XSS in Image Optimization API for Next.js

Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Directory traversal vulnerability in Next.js

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

Next.js Cache Poisoning

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Next.js: null origin can bypass Server Actions CSRF checks

Next.js is vulnerable to RCE in React flight protocol

Next Server Actions Source Code Exposure

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

Next.js Content Injection Vulnerability for Image Optimization

Next.js Improper Middleware Redirect Handling Leads to SSRF

Next.js: Unbounded postponed resume buffering can lead to DoS

Next Vulnerable to Denial of Service with Server Components

Open redirect in @auth0/nextjs-auth0

Malicious code in pos-next-react-native (npm)

Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions

Malicious code in cscchokidar-next (npm)

@urql/next Cross-site Scripting vulnerability

Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Malicious code in nextjs-accelerator (npm)

Malicious code in next.js-localized (npm)

@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Malicious code in next-auths (npm)

Malicious code in next-logging-patcher (npm)

Malicious code in next-rwa (npm)

tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Malicious code in @nexthink/apollo-tokens (npm)

Malicious code in @nexthink/arm-jwt-decoder (npm)

Malicious code in @nexthink/apollo-components (npm)

Malicious code in @nexthink/flow-fe (npm)

Malicious code in @nexthink/waas (npm)

Malicious code in next-10-local (npm)

next-intl has an open redirect vulnerability

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Malicious code in kratos-nextjs-react-example (npm)

Malicious code in @nexthink/investigations-components (npm)

OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Malicious code in next-with-frontegg (npm)

Malicious code in next-plugin-normal (npm)

Malicious code in nextcloud-activity (npm)

Malicious code in @nexthink/kendo-react (npm)

Malicious code in @nexthink/nql-editor (npm)

Malicious code in gbiz-next (npm)

Malicious code in next-circular-dependency (npm)

@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Malicious code in next-id-doc (npm)

Cross-Site Scripting in i18next

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Malicious code in nextcloud2 (npm)

NextAuth.js default redirect callback vulnerable to open redirects

Malicious code in cschokidar-next (npm)

@payloadcms/next has Stored XSS in Admin Panel

Cross-Site Scripting in i18next

Malicious code in assistants-nextjs (npm)

next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Malicious code in nextcloud1 (npm)

Malicious code in vite-next-loggers (npm)

Improper Handling of `callbackUrl` parameter in next-auth

Malicious code in react-resource-router-next (npm)

opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass

Malicious code in vscode-typescript-next (npm)

Malicious code in webpack-next (npm)

Malicious code in next-pwa-template (npm)

URL Redirection to Untrusted Site ('Open Redirect') in next-auth

Malicious code in @nationalgeographicsociety/ngsui-header-auth-provider-next (npm)

Malicious code in nextiva-dot-com (npm)

NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint

Malicious code in next-auth-core (npm)

Malicious code in h3-next (npm)

Malicious code in @nexthink/ea-widgets (npm)

Malicious code in @nexthink/nxassignment (npm)

Malicious code in app-bridge-next (npm)

Postiz App has a High-Severity SSRF Vulnerability via Next.js

@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability

Improper Request Caching Lookup in the Auth0 Next.js SDK

OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Malicious code in next-refresh-token (npm)

@workos-inc/authkit-nextjs session replay vulnerability

NextAuthjs Email misdelivery Vulnerability

Malicious code in @nexthink/apollo-widgets (npm)

Malicious code in next-tab (npm)

Malicious code in react-monorail-next (npm)

Malicious code in next-log-patcher (npm)

Malicious code in frontend-vue-next (npm)

Malicious code in waffles-next-doc-site (npm)

Malicious code in lexical-esm-nextjs (npm)

Improper Validation of Query Parameters in Auth0 Next.js SDK

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Malicious code in wix-smarts-nextjs (npm)

Token verification bug in next-auth

Malicious code in nextcloud-cookbook (npm)

NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails

Malicious code in @nexthink/engage-branding (npm)

Malicious code in nextjs-app-router (npm)

OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint

Malicious code in nextjs-insight (npm)

Malicious code in @ensdomains/vite-plugin-i18next-loader (npm)

Malicious code in next-simple-google-analytics (npm)

Malicious code in next-styled-nprogress (npm)

Malicious code in chokidar-next (npm)

Malicious code in next2ejs (npm)

Malicious code in @nexthink/content-sharing (npm)

Malicious code in example-app-next (npm)

Malicious code in @nexthink/engage-widgets (npm)

Malicious code in @nexthink/investigations-editor (npm)

Malicious code in @nexthink/investigations-widgets (npm)

Malicious code in @nexthink/nxnavigation (npm)

Malicious code in nextcloud-js-tests (npm)

Malicious code in nextcloud-mail (npm)

Malicious code in ng-focus-next (npm)

Malicious code in @nexthink/arm-claims-library (npm)

Malicious code in @nexthink/content-admin-list (npm)

Malicious code in @nexthink/data-formatter (npm)

Malicious code in @nexthink/remote-action-widgets (npm)

Malicious code in nextcloud-news (npm)

Malicious code in nextcloud-register (npm)

Malicious code in nextcloudappstore (npm)

Malicious code in vinext-monorepo (npm)

Malicious code in @investnext/fetlife-assets (npm)

Malicious code in nextcapital-client-demo (npm)

Malicious code in atomic-next (npm)

Malicious code in next-sweetalert2 (npm)

Malicious code in theme-next (npm)

Malicious code in csbchalk-next (npm)

Malicious code in @kucoin-gbiz-next/tools (npm)

Malicious code in nextjs-chat-with-ai-service (npm)

Malicious code in kc-next (npm)

Malicious code in @posthog/nextjs (npm)

Malicious code in @posthog/nextjs-config (npm)

Malicious code in polaris-example-nextjs (npm)

Malicious code in polaris-next (npm)

Malicious code in prettier-plugin-kimi-i18next (npm)

Malicious code in ssc-ui-react-next (npm)

Malicious code in react-intl-next (npm)

Malicious code in react-redux-next (npm)

Malicious code in react-table-next (npm)

Malicious code in @helloflex/widget-next-sdk (npm)

Malicious code in nextiva-partners-microsite (npm)

Malicious code in react-pro-components-next (npm)

Malicious code in achokidar-next (npm)

Malicious code in @seung-ju/next (npm)

Malicious code in nextmvc3primary (npm)

Malicious code in eslint-disable-next-line (npm)

Malicious code in postcsscksnext (npm)

i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters

i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Malicious code in csachalk-next (npm)

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Malicious code in actions-next-bundle-analyzer (npm)

i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Auth0 Next.js SDK has Improper Proxy Cache Lookup

Malicious code in next-config-log (npm)

Malicious code in sha256-validation-nextjs (npm)

Malicious code in winextracter (npm)

Malicious code in cschalk-next (npm)

Malicious code in nextjs-edge (npm)

Malicious code in achalk-next (npm)

Malicious code in browser-nextjs (npm)

Malicious code in @sev-ui-verse/i18next-config (npm)