| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-40608 | Next AI Draw.io: Unbounded HTTP Body — Denial of Service | DayuanJiang | next-ai-draw-io | Medium | 6.2 | 2026-04-21 17:56:35 | Deep Dive |
| CVE-2026-40299 | next-intl has an open redirect vulnerability | amannn | next-intl | - | - | 2026-04-17 20:49:06 | Deep Dive |
| CVE-2026-35394 | Mobile Next has Arbitrary Android Intent Execution via mobile_open_url | mobile-next | mobile-mcp | High | 8.3 | 2026-04-06 20:52:25 | Deep Dive |
| CVE-2026-33989 | @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools | mobile-next | mobile-mcp | High | 8.1 | 2026-03-27 22:03:02 | Deep Dive |
| CVE-2026-4549 | mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization | mickasmt | next-saas-stripe-starter | Low | 3.1 | 2026-03-22 13:47:25 | Deep Dive |
| CVE-2026-4548 | mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization | mickasmt | next-saas-stripe-starter | Medium | 6.3 | 2026-03-22 13:02:44 | Deep Dive |
| CVE-2026-4547 | mickasmt next-saas-stripe-starter Checkout generate-user-stripe.ts generateUserStripe logic error | mickasmt | next-saas-stripe-starter | Medium | 4.3 | 2026-03-22 13:02:42 | Deep Dive |
| CVE-2026-4302 | WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API | wpxpo | WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation | High | 7.2 | 2026-03-21 01:24:38 | Deep Dive |
| CVE-2026-29057 | Next.js: HTTP request smuggling in rewrites | vercel | next.js | 中危 | - | 2026-03-18 00:30:28 | Deep Dive |
| CVE-2026-27980 | Next.js: Unbounded next/image disk cache growth can exhaust storage | vercel | next.js | 高危 | - | 2026-03-18 00:23:35 | Deep Dive |
| CVE-2026-27979 | Next.js: Unbounded postponed resume buffering can lead to DoS | vercel | next.js | 高危 | - | 2026-03-18 00:13:30 | Deep Dive |
| CVE-2026-27978 | Next.js: null origin can bypass Server Actions CSRF checks | vercel | next.js | 中危 | - | 2026-03-17 23:59:23 | Deep Dive |
| CVE-2026-27977 | Next.js: null origin can bypass dev HMR websocket CSRF checks | vercel | next.js | 中危 | - | 2026-03-17 23:56:25 | Deep Dive |
| CVE-2015-20120 | RealtyScript 4.0.2 Multiple Time-based Blind SQL Injection | Next Click Ventures | RealtyScript | High | 8.2 | 2026-03-15 18:35:44 | Deep Dive |
| CVE-2015-20121 | RealtyScript 4.0.2 SQL Injection via u_id and agent Parameters | Next Click Ventures | RealtyScripts | High | 8.2 | 2026-03-15 18:34:20 | Deep Dive |
| CVE-2015-20119 | RealtyScript 4.0.2 Stored Cross-Site Scripting via text Parameter in pages.php | Next Click Ventures | RealtyScript | Medium | 6.4 | 2026-03-15 18:34:18 | Deep Dive |
| CVE-2015-20118 | RealtyScript 4.0.2 Stored Cross-Site Scripting via location_name Parameter | Next Click Ventures | RealtyScript | High | 7.2 | 2026-03-15 18:34:17 | Deep Dive |
| CVE-2015-20117 | RealtyScript 4.0.2 Cross-Site Request Forgery Unauthorized User Creation | Next Click Ventures | RealtyScript | Medium | 5.3 | 2026-03-15 18:34:16 | Deep Dive |
| CVE-2015-20115 | RealtyScript 4.0.2 Stored Cross-Site Scripting via File Upload Parameter | Next Click Ventures | RealtyScript | High | 7.2 | 2026-03-15 18:34:14 | Deep Dive |
| CVE-2015-20116 | RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename | Next Click Ventures | RealtyScript | Medium | 6.1 | 2026-03-15 18:34:14 | Deep Dive |