CVE-2026-33750, CVE-2026-33671, CVE-2026-33671
Answered
Croatian Sheepdog posted this in #help-forum
Croatian SheepdogOP
I'm new to Next.js, and working on publishing Next.js applications to our ECR.
Aquascan is detecting these CVEs:
Claude Code says at least the picomatch ones are because of Next.js (we are using 16.2.6), and suspecting brace-expansion to also be in Next.js (neither of those are in our package.json)
How can I know if/when these will be fixed in a new Next.js release?
Aquascan is detecting these CVEs:
Compl | Resource | File | Vulnerability | Severity | Version | Fix?
------+-----------------+-----------------+----------------+----------+---------+-----
ACK | brace-expansion | brace-expansion | CVE-2026-33750 | HIGH | 2.0.2 | ✔
ACK | picomatch | picomatch | CVE-2026-33671 | HIGH | 4.0.3 | ✔
PASS | picomatch | picomatch | CVE-2026-33672 | MEDIUM | 4.0.3 | ✔ Claude Code says at least the picomatch ones are because of Next.js (we are using 16.2.6), and suspecting brace-expansion to also be in Next.js (neither of those are in our package.json)
How can I know if/when these will be fixed in a new Next.js release?
3 Replies
https://github.com/vercel/next.js/issues/92950 or this issue
Croatian SheepdogOP
Lovely, thanks for the reply 🙏