Next

This hub aggregates every CVE we track for Next, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Next.

• CVE-2026-27978Next.js: null origin can bypass Server Actions CSRF checks4.3Mar 17, 2026
• CVE-2026-27977Next.js: null origin can bypass dev HMR websocket CSRF checks5.4Mar 17, 2026
• CVE-2025-59471A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads ex...5.9Jan 26, 2026
• CVE-2025-59472A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with...5.9Jan 26, 2026
• CVE-2025-57752Next.js Affected by Cache Key Confusion for Image Optimization API Routes6.2Aug 29, 2025
• CVE-2025-55173Next.js Content Injection Vulnerability for Image Optimization4.3Aug 29, 2025
• CVE-2025-57822Next.js Improper Middleware Redirect Handling Leads to SSRF6.5Aug 29, 2025
• CVE-2025-49826Next.js DoS vulnerability via cache poisoning7.5Jul 3, 2025
• CVE-2025-49005Next.js cache poisoning due to omission of Vary header3.7Jul 3, 2025
• CVE-2025-48068Information exposure in Next.js dev server due to lack of origin verification4.3May 30, 2025
• CVE-2025-32421Next.js Race Condition to Cache Poisoning3.7May 14, 2025
• CVE-2025-30218Next.js may leak x-middleware-subrequest-id to external hosts5.9Apr 2, 2025
• CVE-2025-29927Authorization Bypass in Next.js Middleware9.1Mar 21, 2025
• CVE-2024-56332Next.js Vulnerable to Denial of Service (DoS) with Server Actions5.3Jan 3, 2025
• CVE-2024-51479Authorization bypass in Next.js7.5Dec 17, 2024