Version 7.12.8

Author: seitenbau-govdata

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 7.12.8 2026-04-21
+- Fix CVE-2026-23869
+
 ## 7.12.7 2026-04-10
 - Fix CVE-2026-39363, CVE-2025-14874, CVE-2021-23337, GHSA-vvjj-xcjg-gr5g
 

src/owasp/suppressions.xml

@@ -1,3 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2026-06-01Z">
+        <notes>lodash - Jsonwebtoken bundled in Next.js. Managed by Next.js compilation. Github Issue: https://github.com/vercel/next.js/issues/92454</notes>
+        <filePath regex="true">.*node_modules/next/dist/compiled/jsonwebtoken/index\.js</filePath>
+        <cve>CVE-2026-4800</cve>
+        <cve>CVE-2026-2950</cve>
+    </suppress>
+
+    <suppress until="2026-06-01Z">
+        <notes>lodash - Babel packages bundled in Next.js. Managed by Next.js compilation. Github Issue: https://github.com/vercel/next.js/issues/92454</notes>
+        <filePath regex="true">.*node_modules/next/dist/compiled/babel-packages/packages-bundle\.js</filePath>
+        <cve>CVE-2026-4800</cve>
+        <cve>CVE-2026-2950</cve>
+    </suppress>
 </suppressions>

webapp/package-lock.json

@@ -25,16 +25,16 @@
     "i18next": "^23.15.2",
     "ioredis": "^5.4.1",
     "iron-session": "^8.0.3",
-    "next": "16.1.7",
+    "next": "16.2.3",
     "nodemailer": "^8.0.5",
     "normalize.css": "^8.0.1",
     "ol": "^10.4.0",
     "ol-mapbox-style": "^12.4.1",
     "openid-client": "^6.8.1",
     "pino": "^9.5.0",
     "prismjs": "^1.30.0",
-    "react": "19.2.4",
-    "react-dom": "19.2.4",
+    "react": "19.2.5",
+    "react-dom": "19.2.5",
     "react-easy-crop": "^5.4.1",
     "sanitize-html": "^2.13.1",
     "sharp": "^0.34.2",