Nextjs

vulnerability 2026-04-25
Clerk CVE-2026-41248: createRouteMatcher Bypass Skips Middleware Gating Across Next.js, Nuxt, and Astro
Crafted requests slip past createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro, bypassing middleware-level route protection. Patches landed across three major version branches per SDK on April 24.
clerk authentication nextjs nuxt astro middleware-bypass cve-2026-41248 ghsa-vqx2-fgx2-5wq9
vulnerabilities 2026-04-03
React2Shell Under Mass Exploitation: 766+ Next.js Hosts Breached in Credential Harvesting Campaign
Threat actor UAT-10608 is mass-exploiting CVE-2025-55182 (React2Shell) to breach Next.js deployments and harvest cloud credentials, SSH keys, and API tokens at scale.
react nextjs rce credential-theft cloud-security CVE-2025-55182

Clerk CVE-2026-41248: createRouteMatcher Bypass Skips Middleware Gating Across Next.js, Nuxt, and Astro