📂 Vulnerable Library - design-system-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /apps/design-system/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| WS-2026-0004 |
🟣 Critical |
9.9 |
N/A |
N/A |
protobufjs-7.3.0.tgz |
Transitive |
N/A |
❌ |
 Unreachable |
| CVE-2026-4800 |
🔴 High |
8.1 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-26996 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-9.0.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27903 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-9.0.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27904 |
🔴 High |
7.5 |
Not Defined |
< 1% |
minimatch-9.0.5.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-13465 |
🔴 High |
7.2 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-29057 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-2950 |
🟠 Medium |
6.5 |
Not Defined |
< 1% |
lodash-4.17.21.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-59471 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2025-59472 |
🟠 Medium |
5.9 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-27980 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
next-15.5.7.tgz |
Transitive |
N/A |
❌ |
Unreachable |
| CVE-2026-33532 |
🟠 Medium |
4.3 |
Not Defined |
< 1% |
yaml-2.8.1.tgz |
Transitive |
N/A |
❌ |
Unreachable |
Details
🟣WS-2026-0004
Vulnerable Library - protobufjs-7.3.0.tgz
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- design-system-0.1.0.tgz (Root Library)
- contentlayer2-0.4.6.tgz
- utils-0.4.3.tgz
- exporter-trace-otlp-grpc-0.51.1.tgz
- otlp-grpc-exporter-base-0.51.1.tgz
- ❌ protobufjs-7.3.0.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Arbitrary code execution in protobufjs.
protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.
Publish Date: Apr 17, 2026 06:13 AM
URL: WS-2026-0004
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3m-2v4x-88gg
Release Date: Apr 15, 2026 09:00 PM
Fix Resolution : https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,protobufjs - 8.0.1,protobufjs - 7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
🔴CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-26996
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- ts-morph-22.0.0.tgz
- common-0.23.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- ts-morph-22.0.0.tgz
- common-0.23.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6
🔴CVE-2026-27904
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- coverage-v8-3.2.4.tgz
- test-exclude-7.0.1.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- ts-morph-22.0.0.tgz
- common-0.23.0.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- libpg-query-15.2.0.tgz
- node-gyp-10.1.0.tgz
- glob-10.4.5.tgz
- ❌ minimatch-9.0.5.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🔴CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- fs-routes-7.4.0.tgz
- dev-7.4.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- payload-3.52.0.tgz
- json-schema-to-typescript-15.0.3.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
config-0.0.0.tgz (Root Library)
- tailwindcss-variables-2.7.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- recharts-2.15.4.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ai-commands-0.0.0.tgz (Root Library)
- schema-builder-0.18.5.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- remark-emoji-3.1.2.tgz
- node-emoji-1.11.0.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- nitropack-2.12.6.tgz
- archiver-7.0.1.tgz
- archiver-utils-5.0.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: Mar 31, 2026 07:18 PM
URL: CVE-2026-2950
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: Mar 31, 2026 07:18 PM
Fix Resolution : lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
🟠CVE-2025-59471
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59471
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.5.10,next - 16.1.5
🟠CVE-2025-59472
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
- Unbounded request body buffering: The server buffers the entire POST request body into memory using "Buffer.concat()" without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.
- Unbounded decompression (zipbomb): The resume data cache is decompressed using "inflateSync()" without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59472
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
🟠CVE-2026-27980
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
ui-library-0.1.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
cms-1.0.0.tgz (Root Library)
- ui-3.52.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-patterns-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
design-system-0.1.0.tgz (Root Library)
- next-contentlayer2-0.4.6.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- nextjs-10.27.0.tgz
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
common-0.0.0.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
-
www-0.0.3.tgz (Root Library)
- ❌ next-15.5.7.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: Mar 18, 2026 12:23 AM
URL: CVE-2026-27980
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@39eb8e0
Release Date: Mar 18, 2026 12:23 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠CVE-2026-33532
Vulnerable Library - yaml-2.8.1.tgz
JavaScript parser and stringifier for YAML
Library home page: https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
-
design-system-0.1.0.tgz (Root Library)
- contentlayer2-0.4.6.tgz
- source-files-0.4.3.tgz
- ❌ yaml-2.8.1.tgz (Vulnerable Library)
-
docs-0.0.0.tgz (Root Library)
- ❌ yaml-2.8.1.tgz (Vulnerable Library)
-
ui-0.0.0.tgz (Root Library)
- tailwindcss-3.4.1.tgz
- postcss-load-config-4.0.1.tgz
- ❌ yaml-2.8.1.tgz (Vulnerable Library)
-
studio-0.0.9.tgz (Root Library)
- postgres-meta-0.82.0-dev.2.tgz
- swagger-8.15.0.tgz
- ❌ yaml-2.8.1.tgz (Vulnerable Library)
-
@supabase/vue-blocks-0.1.0.tgz (Root Library)
- nuxt-4.1.2.tgz
- unplugin-vue-router-0.15.0.tgz
- ❌ yaml-2.8.1.tgz (Vulnerable Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
"yaml" is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of "yaml" on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a "RangeError: Maximum call stack size exceeded" with a small payload (~2–10 KB). The "RangeError" is not a "YAMLParseError", so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one "[" and one "]"). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's "Parser" (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: "YAML.parse()", "YAML.parseDocument()", and "YAML.parseAllDocuments()". Versions 1.10.3 and 2.8.3 contain a patch.
Publish Date: Mar 26, 2026 07:49 PM
URL: CVE-2026-33532
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.3
Suggested Fix
Type: Upgrade version
Origin: eemeli/yaml@1e84ebb
Release Date: Mar 25, 2026 10:02 PM
Fix Resolution : https://github.com/eemeli/yaml.git - v1.10.3,https://github.com/eemeli/yaml.git - v2.8.3
📂 Vulnerable Library - design-system-0.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /apps/design-system/package.json
Findings
Details
🟣WS-2026-0004
Vulnerable Library - protobufjs-7.3.0.tgz
Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Arbitrary code execution in protobufjs.
protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.
Publish Date: Apr 17, 2026 06:13 AM
URL: WS-2026-0004
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-xq3m-2v4x-88gg
Release Date: Apr 15, 2026 09:00 PM
Fix Resolution : https://github.com/protobufjs/protobuf.js.git - protobufjs-v7.5.5,protobufjs - 8.0.1,protobufjs - 7.5.5,https://github.com/protobufjs/protobuf.js.git - protobufjs-v8.0.1
🔴CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: Mar 31, 2026 07:25 PM
URL: CVE-2026-4800
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.1
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2026-26996
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6 are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS.
This issue has been fixed in versions 10.2.1, 3.1.3, 4.2.4, 5.1.7, 6.2.1, 7.4.7, 8.0.5, and 9.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Feb 20, 2026 03:05 AM
URL: CVE-2026-26996
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ppc-4f35-3m26
Release Date: Feb 19, 2026 12:56 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v10.2.1,https://github.com/isaacs/minimatch.git - v5.1.7,https://github.com/isaacs/minimatch.git - v4.2.4,https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v8.0.5,https://github.com/isaacs/minimatch.git - v9.0.6,https://github.com/isaacs/minimatch.git - v6.2.1,https://github.com/isaacs/minimatch.git - v7.4.7
🔴CVE-2026-27903
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, "matchOne()" performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent "**" (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where "n" is the number of path segments and "k" is the number of globstars. With k=11 and n=30, a call to the default "minimatch()" API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to "minimatch()" is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Publish Date: Feb 26, 2026 01:06 AM
URL: CVE-2026-27903
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-7r86-cg39-jmmj
Release Date: Feb 26, 2026 01:06 AM
Fix Resolution : https://github.com/isaacs/minimatch.git - v3.1.3,https://github.com/isaacs/minimatch.git - v4.2.5,https://github.com/isaacs/minimatch.git - v6.2.2,https://github.com/isaacs/minimatch.git - v10.2.3,https://github.com/isaacs/minimatch.git - v5.1.8,https://github.com/isaacs/minimatch.git - v9.0.7,https://github.com/isaacs/minimatch.git - v7.4.8,https://github.com/isaacs/minimatch.git - v8.0.6
🔴CVE-2026-27904
Vulnerable Library - minimatch-9.0.5.tgz
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested "()" extglobs produce regexps with nested unbounded quantifiers (e.g. "(?:(?:a|b))"), which exhibit catastrophic backtracking in V8. With a 12-byte pattern "(((a|b)))" and an 18-byte non-matching input, "minimatch()" stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default "minimatch()" API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects "+()" extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Publish Date: Feb 26, 2026 01:07 AM
URL: CVE-2026-27904
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c5-xmqv-rm74
Release Date: Feb 26, 2026 01:07 AM
Fix Resolution : minimatch - 7.4.8,minimatch - 10.2.3,minimatch - 8.0.6,minimatch - 6.2.2,minimatch - 9.0.7,minimatch - 5.1.8,minimatch - 4.2.5,minimatch - 3.1.4
🔴CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: Jan 21, 2026 07:05 PM
URL: CVE-2025-13465
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2026-29057
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: Mar 18, 2026 01:55 AM
URL: CVE-2026-29057
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@dc98c04
Release Date: Mar 18, 2026 12:30 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
config-0.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
ai-commands-0.0.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
common-0.0.0.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: Mar 31, 2026 07:18 PM
URL: CVE-2026-2950
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 6.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: Mar 31, 2026 07:18 PM
Fix Resolution : lodash-es - 4.17.23,lodash-amd - 4.17.23,lodash - 4.17.23
🟠CVE-2025-59471
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59471
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.5.10,next - 16.1.5
🟠CVE-2025-59472
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the "Next-Resume: 1" header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:
Both attack vectors result in a fatal V8 out-of-memory error ("FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory") causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.
To be affected you must have an application running with "experimental.ppr: true" or "cacheComponents: true" configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jan 26, 2026 09:43 PM
URL: CVE-2025-59472
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: GHSA-5f7q-jpqc-wp7h
Release Date: Jan 26, 2026 09:43 PM
Fix Resolution : next - 15.4.2,next - 15.1.1,next - 16.1.5,next - 15.0.3,next - 15.0.2,next - 15.3.1,next - 15.0.0,next - 15.2.1,next - 15.3.0,next - 15.2.0,next - 15.0.1,next - 15.2.2,next - 15.4.0
🟠CVE-2026-27980
Vulnerable Library - next-15.5.7.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.5.7.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
ui-library-0.1.0.tgz (Root Library)
cms-1.0.0.tgz (Root Library)
ui-patterns-0.0.0.tgz (Root Library)
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
common-0.0.0.tgz (Root Library)
www-0.0.3.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: Mar 18, 2026 12:23 AM
URL: CVE-2026-27980
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: vercel/next.js@39eb8e0
Release Date: Mar 18, 2026 12:23 AM
Fix Resolution : https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
🟠CVE-2026-33532
Vulnerable Library - yaml-2.8.1.tgz
JavaScript parser and stringifier for YAML
Library home page: https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
design-system-0.1.0.tgz (Root Library)
docs-0.0.0.tgz (Root Library)
ui-0.0.0.tgz (Root Library)
studio-0.0.9.tgz (Root Library)
@supabase/vue-blocks-0.1.0.tgz (Root Library)
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
"yaml" is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of "yaml" on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a "RangeError: Maximum call stack size exceeded" with a small payload (~2–10 KB). The "RangeError" is not a "YAMLParseError", so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one "[" and one "]"). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's "Parser" (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: "YAML.parse()", "YAML.parseDocument()", and "YAML.parseAllDocuments()". Versions 1.10.3 and 2.8.3 contain a patch.
Publish Date: Mar 26, 2026 07:49 PM
URL: CVE-2026-33532
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.3
Suggested Fix
Type: Upgrade version
Origin: eemeli/yaml@1e84ebb
Release Date: Mar 25, 2026 10:02 PM
Fix Resolution : https://github.com/eemeli/yaml.git - v1.10.3,https://github.com/eemeli/yaml.git - v2.8.3