GHSA-9g9p-9gw9-jx7f in Next.js - wrong versions with fixes #6732
Description
Just found an issue in GHSA-9g9p-9gw9-jx7f (from 6773395).
Data on GitHub suggests that 16.1.15 is the only version above 16.0.0 for which the vulnerability is fixed. Same for 15.5.10 reported as the only 15.x with the fix. That's inaccurate, according to https://vercel.com/changelog/summary-of-cve-2026-23864
Fixes are done in 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9.
cc @andresriancho (mentioned in GHSA-9g9p-9gw9-jx7f)