CVE-2026-44578 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: May 14, 2026
Next.js - Server-Side Request Forgery
Overview
Next.js 13.4.13 to before 15.5.16 and 16.2.5 contains a server-side request forgery caused by crafted WebSocket upgrade requests in the built-in Node.js server, letting attackers proxy requests to arbitrary destinations, exploit requires self-hosted deployment.
Severity & Score
Impact
Attackers can proxy requests to internal or external services, exposing sensitive internal resources or cloud metadata endpoints.
Mitigation
Upgrade to versions 15.5.16 or 16.2.5 or later.
Social Media Activity(2 posts)
š CVE-2026-44578 - High (8.6) Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket... š https://www.thehackerwire.com/vulnerability/CVE-2026-44578/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-44578 - High (8.6) Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket... š https://www.thehackerwire.com/vulnerability/CVE-2026-44578/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postGitHub Repositories(2 repos)
Related Resources
Details
- CVE ID
- CVE-2026-44578
- Severity
- High
- CVSS Score
- 8.6
- Type
- server_side_request_forgery
- Status
- confirmed
- EPSS
- 3.2%
- Social Posts
- 2
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N