03/18/2026-03/25/2026 CVE-2025-29927 Exploited in the Wild, Critical NetScaler Flaw, Firefox 149 Patches Three Critical Memory Corruption Flaws And More.

1. Next.js Middleware Authorization Bypass CVE-2025-29927 Exploited in the Wild

On March 21, 2025, researchers published an advisory for CVE-2025-29927, a vulnerability in Next.js middleware that allows authorization bypass through a specially crafted HTTP request containing the internal header x-middleware-subrequest. The flaw affects Next.js versions prior to 12.3.5, 13.5.9, 14.2.25, and 15.2.3, and carries a CVSS score of 9.1 with an EPSS exploitation probability of 92.56%. The x-middleware-subrequest header was originally designed as an internal mechanism to prevent infinite recursive loops. By spoofing this header, external attackers can bypass middleware entirely, skipping authentication, authorization cookie validation, and Content Security Policy enforcement. Vercel-hosted deployments are automatically protected, but self-hosted applications using the next start command with output: standalone are vulnerable. Malicious IP addresses were observed attempting to exploit this vulnerability in GreyNoise Visualizer shortly after disclosure. 

Action: Upgrade to Next.js 12.3.5, 13.5.9, 14.2.25, or 15.2.3. As a short-term mitigation for self-hosted deployments, configure your reverse proxy (Nginx, Cloudflare, AWS ELB) to strip the x-middleware-subrequest header from all inbound requests. Never rely solely on middleware for authentication — enforce access controls at the route or controller level as well.

2. Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

Citrix has released patches for two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical issue that could expose sensitive data.

CVE-2026-3055 (CVSS 9.3) involves insufficient input validation, leading to a memory overread. According to Rapid7, attackers could exploit this flaw remotely without authentication to access sensitive data in memory. However, it only affects systems configured as a SAML Identity Provider (SAML IdP), so default setups are not impacted.

CVE-2026-4368 (CVSS 7.7) is a race condition that may cause user session mix-ups. This requires the appliance to function as a gateway (e. g., SSL VPN or ICA Proxy) or an AAA server.

The flaws impact multiple NetScaler versions, and users should update immediately. Although no active exploitation is confirmed, past NetScaler bugs have been widely abused, making rapid patching essential.

3. Firefox 149 Patches Three Critical Memory Corruption Flaws Including a 9.8 CVE in the JavaScript Engine

CVE-2026-4715 is a critical vulnerability in the Graphics: Canvas2D component of Firefox and Firefox ESR, disclosed on March 24, 2026, with a CVSS score of 9.1. The flaw stems from uninitialized memory, meaning certain memory regions may be used without being properly cleared. This could allow attackers to leak sensitive data or potentially achieve arbitrary code execution.

The issue affects core graphics rendering, so it can likely be triggered through specially crafted web pages. Since the vulnerability is remotely exploitable without authentication, attackers would only need to trick users into visiting a malicious site. It impacts Firefox versions before 149 and Firefox ESR before 140.9. While no public proof-of-concept exists yet, exploitation is considered highly plausible. Users are strongly advised to update to Firefox 149 or Firefox ESR 140.9 or later to mitigate the risk and ensure protection.

4. Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages

The CanisterWorm campaign — attributed to the cloud-focused group TeamPCP — began March 20 when Socket researchers found a compromised npm publisher account injecting malicious code across packages. By March 21, the scope had expanded to 135 affected packages, with attackers leveraging existing trust relationships to have malicious code execute automatically during routine installs without requiring any changes from developers. A mutation discovered in @teale.io/eslint-config has proven especially dangerous: unlike the original deploy.js script that required the attacker to run manually with stolen tokens, the new variant incorporates self-propagation directly into index.js via a findNpmTokens() function that executes automatically, stealing npm tokens and using them to infect every package the token can reach. The campaign uses a decentralized Solana blockchain dead-drop for C2, making infrastructure takedowns ineffective. In parallel, two React Native packages — react-native-international-phone-number and react-native-country-select — were compromised on March 16 with obfuscated preinstall hooks targeting approximately 135,000 monthly downloads combined.

Action: Audit package-lock.json and yarn.lock for any packages from the CanisterWorm indicator list published by Socket. Treat any CI environment that ran npm install on affected packages as potentially compromised. Rotate npm tokens, GitHub tokens, and cloud credentials stored in those environments, and block outbound connections to known CanisterWorm C2 infratructure.

5. API Attack Rates Double Year-over-Year; Akamai Report Flags Behavior-Based Threats as New Normal

Akamai’s State of the Internet report published March 19, 2026, captures a sustained and worsening API threat environment. The average number of API attacks per enterprise per day reached 258 in 2025, more than double the 121 recorded in 2024, and most organizations reported at least one API-related security incident during the year. The shift is qualitative, not just quantitative: behavior-based threats — those that exploit how requests flow through workflows rather than relying on known signatures — now account for a growing share of API traffic, with attackers increasingly focused on degrading performance, driving up infrastructure costs, and exploiting AI-driven automation at scale.Wallarm’s concurrent 2026 API ThreatStats report adds structural context: in 2025, APIs accounted for 11,053 of 67,058 published security bulletins — 17% of all reported vulnerabilities — and 36% of all identified AI vulnerabilities also qualify as API vulnerabilities.Configuration and access control failures remain the most common root causes, dominated by security misconfiguration, broken authorization, and unsafe API consumption patterns.

Action: Add schema validation and strict object-level authorization checks to every API endpoint — not just your authentication layer. Instrument your API gateway to alert on anomalous request rates per endpoint, not just aggregate traffic. If your stack integrates AI tooling or MCP servers, audit those API surfaces explicitly, as they represent the fastest-growing overlap between AI and API attack surfaces.