Next.js moves to scheduled security releases
Next.js adopts scheduled monthly security releases with advance notice, replacing ad-hoc patching.
Summary
Vercel announced that Next.js will implement a formal monthly security release schedule with advance notice and embargo periods, shifting from previously ad-hoc patches. The program aims to give development teams predictable upgrade windows and allow Vercel to coordinate mitigations with hosting partners. The announcement follows critical vulnerabilities including React2Shell (CVE-2025-55182, CVSS 10.0) and a 2025 authorization bypass, both of which prompted security process improvements.
Full text
Research/Security News11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.By Kush Pandya - Jul 14, 2026
Indicators of Compromise
- cve — CVE-2025-55182
- cve — CVE-2025-55183
- cve — CVE-2025-55184
- cve — CVE-2025-67779
- cve — CVE-2025-29927
- malware — Earth Lamia
- malware — Jackpot Panda