📂 Vulnerable Library - www-0.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /apps/www/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| MSC-2024-5167 |
🟣 Critical |
9.8 |
High |
< 1% |
intersection-observer-0.10.0.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2026-27212 |
🟣 Critical |
9.3 |
Not Defined |
< 1% |
swiper-11.0.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-0969 |
🔴 High |
8.8 |
Not Defined |
< 1% |
next-mdx-remote-4.4.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-4800 |
🔴 High |
8.1 |
Not Defined |
< 1% |
lodash.template-4.5.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2021-23337 |
🔴 High |
7.2 |
Proof of concept |
4.3% |
lodash.template-4.5.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-29057 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| WS-2017-3770 |
🟠 Medium |
6.1 |
N/A |
N/A |
autolinker-0.28.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-59471 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-59472 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-66400 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
mdast-util-to-hast-13.2.0.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27980 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| WS-2019-0540 |
🟠 Medium |
5.3 |
N/A |
N/A |
autolinker-0.28.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣MSC-2024-5167
Vulnerable Library - intersection-observer-0.10.0.tgz
A polyfill for IntersectionObserver
Library home page: https://registry.npmjs.org/intersection-observer/-/intersection-observer-0.10.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- www-0.0.3.tgz (Root Library)
- sandpack-react-2.20.0.tgz
- intersection-observer-3.1.2.tgz
- ❌ intersection-observer-0.10.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A malicious Polyfill reference has been identified in this package. The issue is located in the file "package\intersection-observer-test.html".
To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540).
Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.
Publish Date: Jul 01, 2024 02:45 PM
URL: MSC-2024-5167
Threat Assessment
Exploit Maturity:High
EPSS:< 1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2026-27212
Vulnerable Library - swiper-11.0.7.tgz
Library home page: https://registry.npmjs.org/swiper/-/swiper-11.0.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- www-0.0.3.tgz (Root Library)
- ❌ swiper-11.0.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
Publish Date: Feb 21, 2026 05:43 AM
URL: CVE-2026-27212
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: nolimits4web/swiper@d3e6633
Release Date: Feb 21, 2026 05:43 AM
Fix Resolution : https://github.com/nolimits4web/swiper.git - v12.1.2
🔴CVE-2026-0969
Vulnerable Library - next-mdx-remote-4.4.1.tgz
Library home page: https://registry.npmjs.org/next-mdx-remote/-/next-mdx-remote-4.4.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
Publish Date: Feb 12, 2026 01:35 AM
URL: CVE-2026-0969
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.8
Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155
Release Date: Feb 12, 2026 01:35 AM
Fix Resolution : next-mdx-remote - 6.0.0,https://github.com/hashicorp/next-mdx-remote.git - v6.0.0
🔴CVE-2026-4800
Vulnerable Library - lodash.template-4.5.0.tgz
The Lodash method _.template exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- www-0.0.3.tgz (Root Library)
- markdown-toc-1.2.0.tgz
- remarkable-1.7.4.tgz
- autolinker-0.28.1.tgz
- gulp-header-1.8.12.tgz
- ❌ lodash.template-4.5.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-23337
Vulnerable Library - lodash.template-4.5.0.tgz
The Lodash method _.template exported as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- www-0.0.3.tgz (Root Library)
- markdown-toc-1.2.0.tgz
- remarkable-1.7.4.tgz
- autolinker-0.28.1.tgz
- gulp-header-1.8.12.tgz
- ❌ lodash.template-4.5.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:4.3%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21, lodash-es - 4.17.21
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠WS-2017-3770
Vulnerable Library - autolinker-0.28.1.tgz
Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML
Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- www-0.0.3.tgz (Root Library)
- markdown-toc-1.2.0.tgz
- remarkable-1.7.4.tgz
- ❌ autolinker-0.28.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Cross-site Scripting (XSS) vulnerability was found in autolinker before 3.14.0. User input passed to the innerHTML tags isn't sanitized.
Publish Date: Feb 15, 2017 12:00 AM
URL: WS-2017-3770
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.14.0
Release Date: Feb 15, 2017 12:00 AM
Fix Resolution : autolinker - 3.14.0
🟠CVE-2025-59471
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59471
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.5.10,next - 16.1.5
🟠CVE-2025-59472
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
- Unbounded request body buffering: The server buffers the entire POST request body into memory using "Buffer.concat()" without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.
- Unbounded decompression (zipbomb): The resume data cache is decompressed using "inflateSync()" without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59472
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
🟠CVE-2025-66400
Vulnerable Library - mdast-util-to-hast-13.2.0.tgz
Library home page: https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- react-markdown-10.1.0.tgz
- ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- react-markdown-9.0.1.tgz
- ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- hast-util-to-html-9.0.0.tgz
- hast-util-raw-9.0.1.tgz
- ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- streamdown-1.3.0.tgz
- shiki-3.13.0.tgz
- core-3.13.0.tgz
- hast-util-to-html-9.0.5.tgz
- ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- remark-html-16.0.1.tgz
- ❌ mdast-util-to-hast-13.2.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
Publish Date: Dec 01, 2025 10:17 PM
URL: CVE-2025-66400
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: syntax-tree/mdast-util-to-hast@ab3a795
Release Date: Dec 01, 2025 10:17 PM
Fix Resolution : https://github.com/syntax-tree/mdast-util-to-hast.git - 13.2.1
🟠CVE-2026-27980
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: Mar 18, 2026 12:23 AM
URL: CVE-2026-27980
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@39eb8e0
Release Date: Mar 18, 2026 12:23 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠WS-2019-0540
Vulnerable Library - autolinker-0.28.1.tgz
Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML
Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- www-0.0.3.tgz (Root Library)
- markdown-toc-1.2.0.tgz
- remarkable-1.7.4.tgz
- ❌ autolinker-0.28.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Denial of Service (DoS) vulnerability was found in autolinker before 3.0.0. Unterminated img src causes long execution.
Publish Date: Jan 08, 2019 12:00 AM
URL: WS-2019-0540
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.0.0
Release Date: Jan 08, 2019 12:00 AM
Fix Resolution : autolinker - 3.0.0
📂 Vulnerable Library - www-0.0.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /apps/www/package.json
Findings
Details
🟣MSC-2024-5167
Vulnerable Library - intersection-observer-0.10.0.tgz
A polyfill for IntersectionObserver
Library home page: https://registry.npmjs.org/intersection-observer/-/intersection-observer-0.10.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A malicious Polyfill reference has been identified in this package. The issue is located in the file "package\intersection-observer-test.html".
To address this security concern, we recommend taking one of two actions: either remove the affected file completely or replace the suspicious reference with a trusted alternative. Reliable Polyfill sources include Cloudflare (https://cdnjs.cloudflare.com/polyfill) and Fastly (https://community.fastly.com/t/new-options-for-polyfill-io-users/2540).
Mend Note: For more detailed information about the Polyfill supply chain attack and its widespread impact, you can refer to our comprehensive blog post at https://www.mend.io/blog/more-than-100k-sites-impacted-by-polyfill-supply-chain-attack/.
Publish Date: Jul 01, 2024 02:45 PM
URL: MSC-2024-5167
Threat Assessment
Exploit Maturity:High
EPSS:< 1%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-2026-27212
Vulnerable Library - swiper-11.0.7.tgz
Library home page: https://registry.npmjs.org/swiper/-/swiper-11.0.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided input contain forbidden strings. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. The exploit works across Windows and Linux and on Node and Bun runtimes. Any application that processes attacker-controlled input using this package may be affected by the following: Authentication Bypass, Denial of Service and RCE. This issue is fixed in version 12.1.2.
Publish Date: Feb 21, 2026 05:43 AM
URL: CVE-2026-27212
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: nolimits4web/swiper@d3e6633
Release Date: Feb 21, 2026 05:43 AM
Fix Resolution : https://github.com/nolimits4web/swiper.git - v12.1.2
🔴CVE-2026-0969
Vulnerable Library - next-mdx-remote-4.4.1.tgz
Library home page: https://registry.npmjs.org/next-mdx-remote/-/next-mdx-remote-4.4.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
docs-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
Publish Date: Feb 12, 2026 01:35 AM
URL: CVE-2026-0969
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.8
Suggested Fix
Type: Upgrade version
Origin: https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155
Release Date: Feb 12, 2026 01:35 AM
Fix Resolution : next-mdx-remote - 6.0.0,https://github.com/hashicorp/next-mdx-remote.git - v6.0.0
🔴CVE-2026-4800
Vulnerable Library - lodash.template-4.5.0.tgz
The Lodash method
_.templateexported as a module.Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2021-23337
Vulnerable Library - lodash.template-4.5.0.tgz
The Lodash method
_.templateexported as a module.Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-4.5.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: Feb 15, 2021 12:15 PM
URL: CVE-2021-23337
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:4.3%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: Feb 15, 2021 12:15 PM
Fix Resolution : lodash - 4.17.21, lodash-es - 4.17.21
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠WS-2017-3770
Vulnerable Library - autolinker-0.28.1.tgz
Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML
Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Cross-site Scripting (XSS) vulnerability was found in autolinker before 3.14.0. User input passed to the innerHTML tags isn't sanitized.
Publish Date: Feb 15, 2017 12:00 AM
URL: WS-2017-3770
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 6.1
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.14.0
Release Date: Feb 15, 2017 12:00 AM
Fix Resolution : autolinker - 3.14.0
🟠CVE-2025-59471
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59471
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.5.10,next - 16.1.5
🟠CVE-2025-59472
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59472
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
🟠CVE-2025-66400
Vulnerable Library - mdast-util-to-hast-13.2.0.tgz
Library home page: https://registry.npmjs.org/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1.
Publish Date: Dec 01, 2025 10:17 PM
URL: CVE-2025-66400
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: syntax-tree/mdast-util-to-hast@ab3a795
Release Date: Dec 01, 2025 10:17 PM
Fix Resolution : https://github.com/syntax-tree/mdast-util-to-hast.git - 13.2.1
🟠CVE-2026-27980
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: Mar 18, 2026 12:23 AM
URL: CVE-2026-27980
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@39eb8e0
Release Date: Mar 18, 2026 12:23 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠WS-2019-0540
Vulnerable Library - autolinker-0.28.1.tgz
Utility to automatically link the URLs, email addresses, and Twitter handles in a given block of text/HTML
Library home page: https://registry.npmjs.org/autolinker/-/autolinker-0.28.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Denial of Service (DoS) vulnerability was found in autolinker before 3.0.0. Unterminated img src causes long execution.
Publish Date: Jan 08, 2019 12:00 AM
URL: WS-2019-0540
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: https://github.com/gregjacobs/Autolinker.js/releases/tag/v3.0.0
Release Date: Jan 08, 2019 12:00 AM
Fix Resolution : autolinker - 3.0.0