Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
[POC] CVE-2026-44578 — nextssrf
NextSSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next.js WebSocket Upgrade Handler SSRF
[POC] CVE-2026-44578 — CVE-2026-44578
CVE-2026-44578: Next.js WebSocket Upgrade SSRF — pre-auth credential theft via localhost:80. Lab + exploit + audit.
[POC] CVE-2026-44578 — next-16.2.4-pocs
Next.js v16.2.4 Security PoC Collection (CVE-2026-44578, CVE-2026-44574, CVE-2026-23870, GHSA-267c-6grr-h53f, GHSA-mg66-mrh9-m8jx, CVE-2026-44573, GHSA-gx5p-jg67-6x7h, GHSA-h64f-5h5j-jqjh, GHSA-wfc6-r584-vfw7, CVE-2026-44581, CVE-2026-44582, GHSA-3g8h-86w9-wvmq)
[POC] CVE-2026-44578 — verify-ghsa-c4j6-fc7j-m34r
OOB verifier for GHSA-c4j6-fc7j-m34r / CVE-2026-44578 (Next.js WebSocket-upgrade SSRF)
[POC] CVE-2026-44578 — nextjs-cve-2026-44578
Nuclei templates for detecting CVE-2026-44578 (Next.js WebSocket Upgrade SSRF) with multi-cloud metadata validation, Next.js fingerprinting, and real-world scanning workflows. Includes references to the original NextSSRF research and exploit tooling.
[POC] CVE-2026-44578 — CVE-2026-44578
CVE-2026-44578
[POC] CVE-2026-44578 — NEXT-SSRF
SSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next.js WebSocket Upgrade Handler SSRF
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free