Rapid7 is warning customers of two notable vulnerabilities affecting Next.js (CVE-2025-29927) and file transfer software CrushFTP (no CVE).