VYPR

apk package

chainguard/keep-ui

pkg:apk/chainguard/keep-ui

Vulnerabilities (17)

  • CVE-2026-45109HigMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.

  • CVE-2026-44582LowMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected co

  • CVE-2026-44581MedMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed no

  • CVE-2026-44580MedMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script cont

  • CVE-2026-44579HigMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In

  • CVE-2026-44578HigMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker ca

  • CVE-2026-44577MedMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A

  • CVE-2026-44576MedMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditi

  • CVE-2026-44575HigMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used fo

  • CVE-2026-44574HigMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters c

  • CVE-2026-44573HigMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-l

  • CVE-2026-44572LowMay 13, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/pr

  • CVE-2026-6322HigMay 5, 2026
    affected < 0.51.0-r7fixed 0.51.0-r7

    fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw

  • CVE-2026-6321HigMay 4, 2026
    affected < 0.51.0-r6fixed 0.51.0-r6

    fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize

  • CVE-2026-41305MedApr 24, 2026
    affected < 0.51.0-r6fixed 0.51.0-r6

    PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em

  • CVE-2026-29057Mar 18, 2026
    affected < 0.51.0-r1fixed 0.51.0-r1

    Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could tri

  • CVE-2026-27980Mar 18, 2026
    affected < 0.51.0-r5fixed 0.51.0-r5

    Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker