Logo

Security fixes only

Security Changelog

A security changelog tracks vulnerability fixes, affected versions, patched versions, workarounds, and upstream advisories. This page is generated from GitHub repository security advisories and excludes reserved disclosures, product updates, release-only metadata, and general release notes.

Fixes 108 Projects 4

Featured project

Next.js security changelog

The first tracked project is Next.js. The changelog lists only security fixes: CVEs, affected components, impacted versions, fixed versions, workarounds, and upstream security advisories.

View Next.js fixes

Featured Next.js fix

2026-05-11 CVE-2026-44577 Medium

Next.js has a Denial of Service in the Image Optimization API

### Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed). - If you are using `images.localPatterns`, only the patterns in that array are impacted. - If you are using `images.unoptimized: true…

Affected component
next
Fixed in
15.5.16, 16.2.5

Tracked projects

Next.js

52 fixes

22 high or critical fix es tracked.

Astro

20 fixes

5 high or critical fix es tracked.

Nuxt

14 fixes

4 high or critical fix es tracked.

Vite

22 fixes

7 high or critical fix es tracked.

What belongs in this changelog?

Included: published vulnerability fixes with a patch date, upstream fix, CVE or advisory reference, and security impact.

Excluded: reserved disclosures, unreleased reports, feature releases, refactors, performance work, dependency bumps without a security fix, and general product updates.

Self-updating means new published advisories added to the structured advisory data automatically appear here, on vendor pages, in the sitemap, and in LLM-readable site maps.