📂 Vulnerable Library - common-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /packages/common/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2026-4800 |
🔴 High |
8.1 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2025-13465 |
🔴 High |
7.2 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-29057 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-2950 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-22028 |
🟠 Medium |
6.1 |
Not Defined |
< 1% |
preact-10.26.9.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-59471 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-59472 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27980 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🔴CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: Mar 31, 2026 07:18 PM
URL: CVE-2026-2950
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: Mar 31, 2026 07:18 PM
Fix Resolution : lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
🟠CVE-2026-22028
Vulnerable Library - preact-10.26.9.tgz
Fast 3kb React-compatible Virtual DOM library.
Library home page: https://registry.npmjs.org/preact/-/preact-10.26.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- common-0.0.0.tgz (Root Library)
- posthog-js-1.257.2.tgz
- ❌ preact-10.26.9.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).
Publish Date: Jan 08, 2026 02:16 PM
URL: CVE-2026-22028
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-36hm-qxxp-pg3m
Release Date: Jan 08, 2026 02:16 PM
Fix Resolution : preact - 10.27.3,preact - 10.28.2,preact - 10.26.10
🟠CVE-2025-59471
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59471
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.5.10,next - 16.1.5
🟠CVE-2025-59472
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
- Unbounded request body buffering: The server buffers the entire POST request body into memory using "Buffer.concat()" without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.
- Unbounded decompression (zipbomb): The resume data cache is decompressed using "inflateSync()" without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59472
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
🟠CVE-2026-27980
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: Mar 18, 2026 12:23 AM
URL: CVE-2026-27980
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@39eb8e0
Release Date: Mar 18, 2026 12:23 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
📂 Vulnerable Library - common-0.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /packages/common/package.json
Findings
Details
🔴CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: Mar 31, 2026 07:18 PM
URL: CVE-2026-2950
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: Mar 31, 2026 07:18 PM
Fix Resolution : lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
🟠CVE-2026-22028
Vulnerable Library - preact-10.26.9.tgz
Fast 3kb React-compatible Virtual DOM library.
Library home page: https://registry.npmjs.org/preact/-/preact-10.26.9.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).
Publish Date: Jan 08, 2026 02:16 PM
URL: CVE-2026-22028
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GHSA-36hm-qxxp-pg3m
Release Date: Jan 08, 2026 02:16 PM
Fix Resolution : preact - 10.27.3,preact - 10.28.2,preact - 10.26.10
🟠CVE-2025-59471
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59471
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.5.10,next - 16.1.5
🟠CVE-2025-59472
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59472
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
🟠CVE-2026-27980
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: Mar 18, 2026 12:23 AM
URL: CVE-2026-27980
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@39eb8e0
Release Date: Mar 18, 2026 12:23 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13