VYPR
Vendor

Vercel

Products
15
CVEs
69
Across products
72
Status
Private

Products

15

Recent CVEs

69
View all 69 CVEs →
  • CVE-2026-45772CriMay 15, 2026
    risk 0.57cvss 9.8epss 0.00

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package…

  • CVE-2026-46508HigMay 15, 2026
    risk 0.51cvss 7.8epss 0.00

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo…

  • CVE-2026-26156HigApr 14, 2026
    risk 0.51cvss 7.8epss 0.00

    Heap-based buffer overflow in Windows Hyper-V allows an unauthorized attacker to execute code locally.

  • CVE-2026-44578HigMay 13, 2026
    risk 0.49cvss 8.6epss 0.38

    Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker…

  • CVE-2015-8315HigJan 23, 2017
    risk 0.49cvss 7.5epss 0.07

    The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

  • CVE-2026-8768HigMay 17, 2026
    risk 0.47cvss 7.3epss 0.00

    A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be…

  • CVE-2026-44574HigMay 13, 2026
    risk 0.46cvss 8.1epss 0.00

    Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters…

  • CVE-2026-45109HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.

  • CVE-2026-44579HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In…

  • CVE-2026-44575HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.01

    Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used…

  • CVE-2026-44573HigMay 13, 2026
    risk 0.42cvss 7.5epss 0.00

    Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through…

  • CVE-2026-44479MedMay 13, 2026
    risk 0.36cvss 5.5epss 0.00

    Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested…

  • CVE-2026-45773MedMay 15, 2026
    risk 0.35cvss 6.5epss 0.00

    Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web…

  • CVE-2025-46332MedMay 2, 2025
    risk 0.35cvss 6.5epss 0.00

    Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags…

  • CVE-2025-23027MedJan 13, 2025
    risk 0.34cvss epss 0.00

    next-forge is a Next.js project boilerplate for modern web application. The BASEHUB_TOKEN commited in apps/web/.env.example. Users should avoid use of this token and should remove any access it may have in their systems.

  • CVE-2026-8767MedMay 17, 2026
    risk 0.33cvss 5.0epss 0.04

    A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The…

  • CVE-2026-44580MedMay 13, 2026
    risk 0.33cvss 6.1epss 0.00

    Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script…

  • CVE-2026-44577MedMay 13, 2026
    risk 0.31cvss 5.9epss 0.00

    Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit.…

  • CVE-2026-8769MedMay 17, 2026
    risk 0.28cvss 4.3epss 0.01

    A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource…

  • CVE-2026-44576MedMay 13, 2026
    risk 0.28cvss 5.4epss 0.00

    Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected…