Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.
Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 18.9% and no vendor patch available.
Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.