High severity8.6GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44578
CVE-2026-44578
Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 13.4.13, < 15.5.16 | 15.5.16 |
nextnpm | >= 16.0.0, < 16.2.5 | 16.2.5 |
Affected products
4- osv-coords2 versions
< 0.51.0-r7+ 1 more
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: >= 13.4.13, < 15.5.16
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-c4j6-fc7j-m34rghsaADVISORY
- github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34rnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44578ghsaADVISORY
- github.com/vercel/next.js/releases/tag/v15.5.16ghsaWEB
- github.com/vercel/next.js/releases/tag/v16.2.5ghsaWEB
News mentions
2- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026