apk package
chainguard/keep-ui
pkg:apk/chainguard/keep-ui
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45109 | Hig | 7.5 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6. | |
| CVE-2026-44582 | Low | 3.7 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected co | |
| CVE-2026-44581 | Med | 4.7 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed no | |
| CVE-2026-44580 | Med | 6.1 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script cont | |
| CVE-2026-44579 | Hig | 7.5 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In | |
| CVE-2026-44578 | Hig | 8.6 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker ca | |
| CVE-2026-44577 | Med | 5.9 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A | |
| CVE-2026-44576 | Med | 5.4 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditi | |
| CVE-2026-44575 | Hig | 7.5 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used fo | |
| CVE-2026-44574 | Hig | 8.1 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters c | |
| CVE-2026-44573 | Hig | 7.5 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-l | |
| CVE-2026-44572 | Low | 3.7 | < 0.51.0-r7 | 0.51.0-r7 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/pr | |
| CVE-2026-6322 | Hig | 7.5 | < 0.51.0-r7 | 0.51.0-r7 | May 5, 2026 | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw | |
| CVE-2026-6321 | Hig | 7.5 | < 0.51.0-r6 | 0.51.0-r6 | May 4, 2026 | fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize | |
| CVE-2026-41305 | Med | 6.1 | < 0.51.0-r6 | 0.51.0-r6 | Apr 24, 2026 | PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em | |
| CVE-2026-29057 | — | < 0.51.0-r1 | 0.51.0-r1 | Mar 18, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could tri | ||
| CVE-2026-27980 | — | < 0.51.0-r5 | 0.51.0-r5 | Mar 18, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker |
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected co
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed no
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script cont
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker ca
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditi
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used fo
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters c
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-l
- affected < 0.51.0-r7fixed 0.51.0-r7
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/pr
- affected < 0.51.0-r7fixed 0.51.0-r7
fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw
- affected < 0.51.0-r6fixed 0.51.0-r6
fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalize
- affected < 0.51.0-r6fixed 0.51.0-r6
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for em
- CVE-2026-29057Mar 18, 2026affected < 0.51.0-r1fixed 0.51.0-r1
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could tri
- CVE-2026-27980Mar 18, 2026affected < 0.51.0-r5fixed 0.51.0-r5
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker