SecAlerts
CVE ListPricingSign Up
vercel logo

vercel

Security Risk Profile

43
/100
medium

Security Risk Score

Comprehensive risk assessment based on 89 vulnerabilities, EPSS scores, exploitation status, and remediation availability.

📅 Data spans from January 23, 2017 to present

89
Total CVEs
31
Critical+High
7
Exploited
5
Unpatched

Threat Assessment

Avg CVSS
6.4
Base severity
Avg EPSS
7%
Exploit probability
Unpatched
5
Critical/High
Risk Level
43/100
medium
⚠️ 7 Active Exploits 5 Zero-Days📈 18 in Last 30 Days

Severity Distribution

Critical
3
High
28
Medium
24
Low
7

Exploit Likelihood

>50% chance
1
20-50%
0
5-20%
0
<5%
11

Age Distribution

Common Weaknesses (CWE)

1
SSRF
5
2
XSS
4
3
Input Validation
4
4
Command Injection
2
5
CSRF
2

Most Affected Products

1. Vercel Next.js Node.js497
2. npm/next78
3. Vercel Next.js29
4. npm/react-server-dom-webpack14
5. npm/react-server-dom-turbopack14

Recent Vulnerabilities

See more →
CVE-2026-8769
CVSS 2.1EPSS 0%low

vercel ai provider-utils response-handler.ts createJsonErrorResponseHandler resource consumption

5/17/2026🔧 No Patch
CVE-2026-8768
CVSS 5.5EPSS 0%medium

vercel ai provider-utils download-blob.ts validateDownloadUrl server-side request forgery

5/17/2026🔧 No Patch
CVE-2026-8767
CVSS 1.3EPSS 0%low

vercel ai PR Branch Name Interpolation prettier-on-automerge.yml run os command injection

5/17/2026🔧 No Patch
CVE-2026-45773
CVSS 5.1medium

Turborepo: Login callback CSRF/session fixation

5/15/2026
CVE-2026-46508
CVSS 8.4high

Turborepo: VSCode Extension command injection

5/15/2026🔧 No Patch
CVE-2026-45772
CVSS 0.0low

Turborepo: Unexpected local code execution during Yarn Berry detection

5/15/2026
CVE-2026-45109
CVSS 7.5high

Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

5/11/2026
CVE-2026-44572
CVSS 5.9medium

Next.js: Middleware / Proxy redirects can be cache-poisoned

5/11/2026
CVE-2026-44581
CVSS 4.7medium

Next.js: Cross-site scripting in App Router applications using CSP nonces

5/11/2026
CVE-2026-44582
CVSS 3.7low

Next.js: Cache poisoning via collisions in React Server Component cache-busting

5/11/2026

Monitor vercel in Real-Time

Get instant alerts when new vulnerabilities are discovered. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
Powered bySecAlerts

Monitor Your Software Stack in Real-Time

Get instant alerts when vulnerabilities are discovered in your software stack. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
AboutNewsDocumentationTermsContact

© 2026 SecAlerts Pty Ltd. All rights reserved.