Rapid7 is warning customers of notable vulnerabilities in Next.js, a React framework for building web applications, and CrushFTP, a file transfer technology that has previously been targeted by adversaries.
CVE-2025-29927 is a critical improper authorization vulnerability in Next.js middleware that could (theoretically) allow an attacker to bypass authorization checks in a Next.js application, if the authorization check occurs in middleware.
Read more…
Source: Rapid7
Related:
- Disgruntled researcher releases second major Windows zero-day
April 17, 2026
The same disgruntled researcher who recently disclosed a zero-day vulnerability in Windows has now done it again, this time targeting Microsoft Defender, the operating system’s native antivirus solution. A researcher with the alias “Chaotic Eclipse” has posted a proof-of-concept (PoC) exploit for a vulnerability they named “RedSun”. It is a local privilege escalation flaw that allows ...
- Patch these critical Fortinet sandbox bugs that let attackers bypass login, run commands over HTTP
April 15, 2026
Watch out for more Fortinet vulns! Two critical bugs in Fortinet’s sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems. Luckily, the security vendor has issued fixes – so patch now – and so far, there are no reports of active exploitation. But considering that the vulnerabilities are now public, ...
- Patch Tuesday – April 2026
April 14, 2026
Microsoft is publishing 167 vulnerabilities on April 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for one of today’s vulnerabilities, and public disclosure for one other. Microsoft evaluates 19 of the vulnerabilities published today as more likely to see future exploitation. So far this month, Microsoft has provided patches to address 80 browser ...
- Zombie Microsoft bugs rise from the dead, pave way for crims and ransomware scum
April 13, 2026
Crooks are exploiting four Microsoft vulnerabilities – one patched 14 years ago and another tied to ransomware activity – according to America’s lead cyber-defense agency, which on Monday gave federal agencies two weeks to patch them. The four vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Monday are: CVE-2025-60710, a link-following vulnerability in Windows ...
- Attackers exploited critical FortiClient EMS bug as a 0-day
April 6, 2026
Fortinet released an emergency patch over the weekend for a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31. The flaw, tracked as CVE-2026-35616, is an improper access control vulnerability that allows unauthenticated attackers to execute unauthorized code or commands via crafted requests. It earned a critical 9.1 ...
- Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
April 6, 2026
The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, ...