OsVault/npm/next
npm2 critical

next

210 known vulnerabilities · 2 critical · 10 high

CVE-2025-29927

Authorization Bypass in Next.js Middleware

Published Mar 21, 2025
CVE-2025-57752

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Published Aug 29, 2025
GHSA-q4gf-8mx6-v5v3

Next.js has a Denial of Service with Server Components

Published Apr 10, 2026
CVE-2022-36046MEDIUM

Unexpected server crash in Next.js

Published Aug 30, 2022
CVE-2022-21721MEDIUM

Denial of Service Vulnerability in next.js

Published Jan 28, 2022
CVE-2024-47831

Denial of Service condition in Next.js image optimization

Published Oct 14, 2024
CVE-2018-18282MEDIUM

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

Published Oct 15, 2018
CVE-2026-27980

Next.js: Unbounded next/image disk cache growth can exhaust storage

Published Mar 17, 2026
CVE-2025-59471

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

Published Jan 27, 2026
CVE-2021-37699MEDIUM

Open Redirect in Next.js

Published Aug 12, 2021
CVE-2023-46298HIGH

Next.js missing cache-control header may lead to CDN caching empty reply

Published Oct 22, 2023
CVE-2026-27977

Next.js: null origin can bypass dev HMR websocket CSRF checks

Published Mar 17, 2026
CVE-2024-56332

Next.js Allows a Denial of Service (DoS) with Server Actions

Published Jan 3, 2025
CVE-2024-34351HIGH

Next.js Server-Side Request Forgery in Server Actions

Published May 9, 2024
CVE-2026-29057

Next.js: HTTP request smuggling in rewrites

Published Mar 17, 2026
CVE-2021-39178HIGH

XSS in Image Optimization API for Next.js

Published Sep 1, 2021
CVE-2025-49005

Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Published Jul 3, 2025
GHSA-36qx-fr4f-26g5

Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

Published May 11, 2026
CVE-2018-6184HIGH

Directory traversal vulnerability in Next.js

Published Jan 24, 2018
CVE-2020-15242MEDIUM

Open Redirect in Next.js versions

Published Oct 8, 2020
GHSA-267c-6grr-h53f

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

Published May 11, 2026
CVE-2024-46982

Next.js Cache Poisoning

Published Sep 17, 2024
GHSA-492v-c6pp-mqqv

Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

Published May 11, 2026
CVE-2022-23646MEDIUM

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Published Feb 17, 2022
GHSA-8h8q-6873-q5fj

Next.js Vulnerable to Denial of Service with Server Components

Published May 11, 2026
CVE-2026-27978

Next.js: null origin can bypass Server Actions CSRF checks

Published Mar 17, 2026
GHSA-c4j6-fc7j-m34r

Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Published May 11, 2026
GHSA-gx5p-jg67-6x7h

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Published May 11, 2026
GHSA-h64f-5h5j-jqjh

Next.js has a Denial of Service in the Image Optimization API

Published May 11, 2026
GHSA-mg66-mrh9-m8jx

Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

Published May 11, 2026
GHSA-9qr9-h5gf-34mp

Next.js is vulnerable to RCE in React flight protocol

Published Dec 3, 2025
GHSA-h25m-26qc-wcjf

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

Published Jan 28, 2026
GHSA-wfc6-r584-vfw7

Next.js vulnerable to cache poisoning in React Server Component responses

Published May 11, 2026
CVE-2025-55173

Next.js Content Injection Vulnerability for Image Optimization

Published Aug 29, 2025
GHSA-w37m-7fhw-fmv9

Next Server Actions Source Code Exposure

Published Dec 11, 2025
GHSA-26hh-7cqf-hhc6

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

Published May 11, 2026
CVE-2021-43803HIGH

Unexpected server crash in Next.js.

Published Dec 7, 2021
GHSA-mwv6-3258-q52c

Next Vulnerable to Denial of Service with Server Components

Published Dec 11, 2025
CVE-2025-57822

Next.js Improper Middleware Redirect Handling Leads to SSRF

Published Aug 29, 2025
CVE-2026-27979

Next.js: Unbounded postponed resume buffering can lead to DoS

Published Mar 17, 2026
CVE-2025-59472

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

Published Jan 28, 2026
GHSA-3g8h-86w9-wvmq

Next.js's Middleware / Proxy redirects can be cache-poisoned

Published May 11, 2026
GHSA-ffhc-5mcf-pf4q

Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Published May 11, 2026
GHSA-vfv6-92ff-j949

Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Published May 11, 2026
GHSA-5j59-xgg2-r9c4

Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

Published Dec 12, 2025
GHSA-4c35-wcg5-mm9h

next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys

Published May 6, 2026
CVE-2021-43812MEDIUM

Open redirect in @auth0/nextjs-auth0

Published Dec 16, 2021
MAL-2026-3281

Malicious code in pos-next-react-native (npm)

Published May 4, 2026
MAL-2022-4828

Malicious code in nextcloud-js-tests (npm)

Published Jun 20, 2022
GHSA-5jpx-9hw9-2fx4

NextAuthjs Email misdelivery Vulnerability

Published Oct 29, 2025
GHSA-vr6p-vq2p-6j74

Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions

Published Dec 15, 2025
GHSA-gm9m-x74r-8whg

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Published Mar 31, 2026
MAL-2022-4833

Malicious code in nextjs-accelerator (npm)

Published Jun 20, 2022
CVE-2026-33989

@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Published Mar 27, 2026
MAL-2025-3795

Malicious code in next-auths (npm)

Published May 14, 2025
MAL-2026-3025

Malicious code in next-rwa (npm)

Published Apr 24, 2026
MAL-2025-3796

Malicious code in next-logging-patcher (npm)

Published May 14, 2025
CVE-2025-68130

tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Published Dec 16, 2025
MAL-2022-456

Malicious code in @nexthink/apollo-tokens (npm)

Published Oct 19, 2022
MAL-2022-459

Malicious code in @nexthink/arm-jwt-decoder (npm)

Published Oct 19, 2022
MAL-2026-5076

Malicious code in private-next-instrumentation-client (npm)

Published May 29, 2026
MAL-2022-455

Malicious code in @nexthink/apollo-components (npm)

Published Oct 19, 2022
MAL-2022-475

Malicious code in @nexthink/waas (npm)

Published Oct 19, 2022
MAL-2025-610

Malicious code in cscchokidar-next (npm)

Published Jan 21, 2025
MAL-2022-4824

Malicious code in next-10-local (npm)

Published Jun 20, 2022
GHSA-8f24-v5vv-gm5j

next-intl has an open redirect vulnerability

Published Apr 10, 2026
GHSA-866c-wwm5-4rj7

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Published Mar 19, 2026
MAL-2023-8553

Malicious code in kratos-nextjs-react-example (npm)

Published Nov 21, 2023
MAL-2022-467

Malicious code in @nexthink/investigations-components (npm)

Published Oct 19, 2022
GHSA-9528-x887-j2fp

OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication

Published Mar 31, 2026
MAL-2023-621

Malicious code in next-with-frontegg (npm)

Published Jul 2, 2023
MAL-2022-4825

Malicious code in next-plugin-normal (npm)

Published May 31, 2022
MAL-2022-4826

Malicious code in nextcloud-activity (npm)

Published Jun 20, 2022
MAL-2022-470

Malicious code in @nexthink/kendo-react (npm)

Published Oct 19, 2022
MAL-2022-471

Malicious code in @nexthink/nql-editor (npm)

Published Oct 19, 2022
CVE-2021-29438MEDIUM

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Published Apr 16, 2021
GHSA-5f7h-p83x-5vc2

Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Published Apr 10, 2026
CVE-2026-35394HIGH
Risk: 51.96/100

@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Published Apr 4, 2026
CVE-2022-24858MEDIUM

NextAuth.js default redirect callback vulnerable to open redirects

Published Apr 22, 2022
MAL-2025-1095

Malicious code in cschokidar-next (npm)

Published Feb 3, 2025
CVE-2017-16008MEDIUM

Cross-Site Scripting in i18next

Published Nov 9, 2018
CVE-2022-31186LOW

next-auth before v4.10.2 and v3.29.9 leaks excessive information into log

Published Aug 6, 2022
MAL-2024-11810

Malicious code in nextcloud1 (npm)

Published Dec 12, 2024
MAL-2025-48269

Malicious code in vite-next-loggers (npm)

Published Oct 9, 2025
GHSA-fwf6-j56g-m97c

Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click

Published May 8, 2026
MAL-2026-2855

Malicious code in react-resource-router-next (npm)

Published Apr 18, 2026
CVE-2025-6087

opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass

Published Mar 5, 2026
MAL-2025-2584

Malicious code in vscode-typescript-next (npm)

Published Mar 20, 2025
MAL-2025-260

Malicious code in webpack-next (npm)

Published Jan 20, 2025
MAL-2025-4724

Malicious code in next-pwa-template (npm)

Published Jun 9, 2025
CVE-2022-29214MEDIUM

URL Redirection to Untrusted Site ('Open Redirect') in next-auth

Published May 24, 2022
MAL-2025-3060

Malicious code in @nationalgeographicsociety/ngsui-header-auth-provider-next (npm)

Published Apr 2, 2025
MAL-2026-1797

Malicious code in nextiva-dot-com (npm)

Published Mar 18, 2026
CVE-2023-49785CRITICAL

NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint

Published Aug 5, 2024
MAL-2025-3794

Malicious code in next-auth-core (npm)

Published May 14, 2025
MAL-2026-2768

Malicious code in h3-next (npm)

Published Apr 16, 2026
MAL-2022-463

Malicious code in @nexthink/ea-widgets (npm)

Published Oct 19, 2022
MAL-2022-472

Malicious code in @nexthink/nxassignment (npm)

Published Oct 19, 2022
MAL-2025-2361

Malicious code in app-bridge-next (npm)

Published Mar 14, 2025
GHSA-vj2p-7pgw-g2wf

Postiz App has a High-Severity SSRF Vulnerability via Next.js

Published Mar 27, 2026
CVE-2026-34748HIGH
Risk: 43.51/100

@payloadcms/next has Stored XSS in Admin Panel

Published Apr 1, 2026
CVE-2025-67490

Improper Request Caching Lookup in the Auth0 Next.js SDK

Published Dec 10, 2025
MAL-2023-8734

Malicious code in next-id-doc (npm)

Published Dec 22, 2023
MAL-2025-142

Malicious code in next-refresh-token (npm)

Published Jan 19, 2025
CVE-2024-24556HIGH

@urql/next Cross-site Scripting vulnerability

Published Jan 30, 2024
MAL-2025-190573

Malicious code in gbiz-next (npm)

Published Nov 18, 2025
CVE-2024-29901MEDIUM

@workos-inc/authkit-nextjs session replay vulnerability

Published Mar 29, 2024
CVE-2024-23841HIGH

@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability

Published Jan 30, 2024
MAL-2022-457

Malicious code in @nexthink/apollo-widgets (npm)

Published Oct 19, 2022
MAL-2026-5265

Malicious code in node-env-resolver-nextjs (npm)

Published Jun 5, 2026
MAL-2025-2213

Malicious code in next-tab (npm)

Published Mar 6, 2025
MAL-2022-5654

Malicious code in react-monorail-next (npm)

Published Jun 20, 2022
MAL-2025-3581

Malicious code in next-log-patcher (npm)

Published May 2, 2025
MAL-2025-49410

Malicious code in frontend-vue-next (npm)

Published Nov 9, 2025
MAL-2022-7031

Malicious code in waffles-next-doc-site (npm)

Published Oct 31, 2022
GHSA-jfgf-83c5-2c4m

i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters

Published Apr 29, 2026
MAL-2025-579

Malicious code in lexical-esm-nextjs (npm)

Published Jan 24, 2025
CVE-2025-67716

Improper Validation of Query Parameters in Auth0 Next.js SDK

Published Dec 10, 2025
CVE-2026-0969

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

Published Feb 12, 2026
CVE-2026-28449

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Published Mar 3, 2026
MAL-2024-7856

Malicious code in wix-smarts-nextjs (npm)

Published Jul 30, 2024
CVE-2021-21310MEDIUM

Token verification bug in next-auth

Published Feb 11, 2021
MAL-2022-464

Malicious code in @nexthink/engage-branding (npm)

Published Oct 19, 2022
MAL-2024-12010

Malicious code in nextjs-app-router (npm)

Published Dec 19, 2024
GHSA-rvpw-p7vw-wj3m

OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint

Published Jun 16, 2025
MAL-2025-4856

Malicious code in nextjs-insight (npm)

Published Jun 10, 2025
MAL-2025-190741

Malicious code in @ensdomains/vite-plugin-i18next-loader (npm)

Published Nov 24, 2025
MAL-2025-190980

Malicious code in next-simple-google-analytics (npm)

Published Nov 24, 2025
MAL-2025-190981

Malicious code in next-styled-nprogress (npm)

Published Nov 24, 2025
MAL-2022-4827

Malicious code in nextcloud-cookbook (npm)

Published Jun 20, 2022
MAL-2022-461

Malicious code in @nexthink/content-sharing (npm)

Published Oct 19, 2022
MAL-2025-87

Malicious code in example-app-next (npm)

Published Jan 14, 2025
MAL-2022-466

Malicious code in @nexthink/flow-fe (npm)

Published Oct 19, 2022
MAL-2022-468

Malicious code in @nexthink/investigations-editor (npm)

Published Oct 19, 2022
MAL-2022-473

Malicious code in @nexthink/nxnavigation (npm)

Published Oct 19, 2022
MAL-2026-4363

Malicious code in @asura21232/fca-unofficial-nextgen (npm)

Published May 22, 2026
MAL-2022-458

Malicious code in @nexthink/arm-claims-library (npm)

Published Oct 19, 2022
MAL-2022-460

Malicious code in @nexthink/content-admin-list (npm)

Published Oct 19, 2022
MAL-2022-462

Malicious code in @nexthink/data-formatter (npm)

Published Oct 19, 2022
MAL-2022-474

Malicious code in @nexthink/remote-action-widgets (npm)

Published Oct 19, 2022
MAL-2022-4830

Malicious code in nextcloud-news (npm)

Published Jun 20, 2022
MAL-2026-2861

Malicious code in vinext-monorepo (npm)

Published Apr 19, 2026
MAL-2026-4482

Malicious code in arnext (npm)

Published May 26, 2026
MAL-2026-4483

Malicious code in arnext-arkb (npm)

Published May 26, 2026
MAL-2022-363

Malicious code in @investnext/fetlife-assets (npm)

Published Jun 20, 2022
MAL-2026-3589

Malicious code in nextmove-mcp (npm)

Published May 12, 2026
MAL-2026-4538

Malicious code in create-arnext-app (npm)

Published May 26, 2026
MAL-2023-8599

Malicious code in nextcapital-client-demo (npm)

Published Nov 23, 2023
MAL-2022-1163

Malicious code in atomic-next (npm)

Published Jun 20, 2022
MAL-2025-5197

Malicious code in next-sweetalert2 (npm)

Published Jun 20, 2025
MAL-2023-881

Malicious code in theme-next (npm)

Published Jun 6, 2023
MAL-2025-609

Malicious code in csbchalk-next (npm)

Published Jan 21, 2025
MAL-2026-2587

Malicious code in @kucoin-gbiz-next/tools (npm)

Published Apr 13, 2026
MAL-2026-3241

Malicious code in nextjs-chat-with-ai-service (npm)

Published May 3, 2026
MAL-2025-190886

Malicious code in @posthog/nextjs (npm)

Published Nov 24, 2025
MAL-2025-190887

Malicious code in @posthog/nextjs-config (npm)

Published Nov 24, 2025
MAL-2022-5397

Malicious code in polaris-example-nextjs (npm)

Published Jun 20, 2022
MAL-2022-5401

Malicious code in polaris-next (npm)

Published Jun 20, 2022
MAL-2025-3769

Malicious code in next.js-localized (npm)

Published May 12, 2025
MAL-2024-10770

Malicious code in prettier-plugin-kimi-i18next (npm)

Published Nov 15, 2024
MAL-2024-10867

Malicious code in ssc-ui-react-next (npm)

Published Nov 20, 2024
MAL-2022-5650

Malicious code in react-intl-next (npm)

Published Jun 20, 2022
MAL-2022-5671

Malicious code in react-redux-next (npm)

Published Jun 20, 2022
MAL-2026-5871

Malicious code in lucide-next (npm)

Published Jun 16, 2026
MAL-2022-5677

Malicious code in react-table-next (npm)

Published Jun 20, 2022
MAL-2026-760

Malicious code in @helloflex/widget-next-sdk (npm)

Published Feb 5, 2026
MAL-2024-9726

Malicious code in nextiva-partners-microsite (npm)

Published Oct 16, 2024
MAL-2024-10999

Malicious code in react-pro-components-next (npm)

Published Nov 27, 2024
CVE-2017-16010MEDIUM

Cross-Site Scripting in i18next

Published Jul 24, 2018
CVE-2022-31093HIGH

Improper Handling of `callbackUrl` parameter in next-auth

Published Jun 21, 2022
GHSA-xhq5-45pm-2gjr

OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Published Mar 26, 2026
MAL-2024-11244

Malicious code in nextcloud2 (npm)

Published Dec 8, 2024
MAL-2025-190755

Malicious code in @seung-ju/next (npm)

Published Nov 24, 2025
MAL-2026-3749

Malicious code in @webapp-next/store (npm)

Published May 14, 2026
MAL-2025-2801

Malicious code in nextmvc3primary (npm)

Published Mar 30, 2025
MAL-2025-48996

Malicious code in eslint-disable-next-line (npm)

Published Oct 29, 2025
GHSA-5fgg-jcpf-8jjw

i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters

Published Apr 22, 2026
GHSA-6457-mxpq-4fqq

i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes

Published Apr 22, 2026
MAL-2025-1092

Malicious code in csachalk-next (npm)

Published Feb 3, 2025
GHSA-8847-338w-5hcj

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Published Apr 22, 2026
GHSA-c3h8-g69v-pjrg

i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Published Apr 22, 2026
MAL-2024-1312

Malicious code in actions-next-bundle-analyzer (npm)

Published May 1, 2024
GHSA-q89c-q3h5-w34g

i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Published Apr 22, 2026
GHSA-xq8m-7c5p-c2r6

Auth0 Next.js SDK has Improper Proxy Cache Lookup

Published Apr 21, 2026
MAL-2025-4381

Malicious code in next-config-log (npm)

Published May 23, 2025
MAL-2024-1528

Malicious code in winextracter (npm)

Published Jun 3, 2024
MAL-2023-622

Malicious code in next2ejs (npm)

Published May 17, 2023
MAL-2025-612

Malicious code in cschalk-next (npm)

Published Jan 21, 2025
GHSA-mgcp-mfp8-3q45

i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Published Apr 22, 2026
MAL-2025-48033

Malicious code in nextjs-edge (npm)

Published Oct 8, 2025
CVE-2022-35924CRITICAL

NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails

Published Aug 2, 2022
MAL-2022-4832

Malicious code in nextcloudappstore (npm)

Published Jun 20, 2022
MAL-2026-4193

Malicious code in private-next-pages (npm)

Published May 20, 2026
MAL-2022-4829

Malicious code in nextcloud-mail (npm)

Published Jun 20, 2022
MAL-2022-5425

Malicious code in postcsscksnext (npm)

Published Aug 19, 2022
MAL-2025-47521

Malicious code in sha256-validation-nextjs (npm)

Published Sep 24, 2025
MAL-2025-47539

Malicious code in @sev-ui-verse/i18next-config (npm)

Published Sep 25, 2025
MAL-2025-701

Malicious code in browser-nextjs (npm)

Published Jan 31, 2025
MAL-2025-608

Malicious code in achalk-next (npm)

Published Jan 21, 2025
GHSA-2xx6-qf7x-grqh

next-npm-version is vulnerable to Command injection

Published May 7, 2026
MAL-2022-465

Malicious code in @nexthink/engage-widgets (npm)

Published Oct 19, 2022
MAL-2022-469

Malicious code in @nexthink/investigations-widgets (npm)

Published Oct 19, 2022
MAL-2022-4831

Malicious code in nextcloud-register (npm)

Published Jun 20, 2022
MAL-2022-4844

Malicious code in ng-focus-next (npm)

Published Jun 20, 2022
GHSA-x6p3-76f2-xxvh

Shamefile has an arbitrary file read via shamefile.yaml in shame next

Published May 28, 2026
MAL-2023-175

Malicious code in chokidar-next (npm)

Published Jan 6, 2023
MAL-2024-8994

Malicious code in assistants-nextjs (npm)

Published Sep 27, 2024
MAL-2025-1055

Malicious code in achokidar-next (npm)

Published Feb 3, 2025
MAL-2025-190574

Malicious code in kc-next (npm)

Published Nov 19, 2025
MAL-2025-190979

Malicious code in next-circular-dependency (npm)

Published Nov 24, 2025
Check your entire dependency tree at onceRun dependency scan →