{"vulnerability": "CVE-2026-44578", "sightings": [{"uuid": "27b88c9b-d898-40fc-b39f-bcec7e82eae9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://www.acn.gov.it/portale/w/next.js-aggiornamenti-di-sicurezza-1", "content": "", "creation_timestamp": "2026-05-08T12:09:44.000000Z"}, {"uuid": "12339505-8a1a-4df1-aa6c-fa3496b954b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://bsky.app/profile/securestep9.bsky.social/post/3mlcfbrg7m62h", "content": "#NextJS and #React Server Components hit with 12 vulnerabilities with 3 high-severity vulns (CVE-2026-44574, CVE-2026-44578, CVE-2026-44581) requiring the most urgent attention and impacting virtually every production NextJS deployment - patch now!", "creation_timestamp": "2026-05-07T23:40:51.698967Z"}, {"uuid": "ce18b1ac-2a32-4349-b0af-16f1900e29d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "Telegram/xvoYgOFnUf5jFw65_bW2FC7fcn6orx4l4LTjm0d68ZkOEzo", "content": "", "creation_timestamp": "2026-05-08T03:00:06.000000Z"}, {"uuid": "6667ce13-4073-4b18-aa5e-812c8dae0681", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "Telegram/6_gD9pQtVCg_eRlU_-Eqvw6JM83wq5C4Rc0rf2uF-yzttPU", "content": "", "creation_timestamp": "2026-05-13T09:00:04.000000Z"}, {"uuid": "d54bb313-5d5b-477d-b5dd-b43e8eca92c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "published-proof-of-concept", "source": "https://t.me/htfgtps/1107", "content": "CVE-2026-23870, CVE-2026-44575, CVE-2026-44579, CVE-\n2026-44574, CVE-2026-44578, CVE-2026-44573, CVE-2026-\n44581, CVE-2026-44580, CVE-2026-44577, CVE-2026-44576,\nCVE-2026-44582, CVE-2026-44572\nhttps://github.com/dwisiswant0/next-16.2.4-pocs", "creation_timestamp": "2026-05-11T06:42:58.000000Z"}, {"uuid": "ba71fbd8-329e-4f76-8f8f-e97d05806a83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://t.me/GithubRedTeam/84034", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #SSRF\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a verify-ghsa-c4j6-fc7j-m34r\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a panchocosil\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-13 05:49:17\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nOOB verifier for GHSA-c4j6-fc7j-m34r / CVE-2026-44578 (Next.js WebSocket-upgrade SSRF)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-13T06:02:34.000000Z"}, {"uuid": "e4d2a062-f062-4c9a-86b9-77db71f47033", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://gist.github.com/leedc0101/2125a81a4a6c9a3e8ceb67fea7454149", "content": "# Server-side request forgery in applications using WebSocket upgrades\n\n- \uc6d0\ubb38 \uc81c\ubaa9: Server-side request forgery in applications using WebSocket upgrades\n- \uc6d0\ubb38 \ub9c1\ud06c: https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r\n- \ubc88\uc5ed\uc77c: 2026-05-17 KST\n\n## \ud55c\uad6d\uc5b4 \ubc88\uc5ed\n\nNext.js\uc758 \uc790\uccb4 \ud638\uc2a4\ud305 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uc911, \uae30\ubcf8 Node.js \uc11c\ubc84\ub97c \uc0ac\uc6a9\ud558\uace0 WebSocket upgrade \uc694\uccad\uc744 \ubc1b\ub294 \uad6c\uc131\uc774 \uc11c\ubc84 \uc0ac\uc774\ub4dc \uc694\uccad \uc704\uc870(SSRF)\uc5d0 \ucde8\uc57d\ud560 \uc218 \uc788\ub2e4\ub294 \ubcf4\uc548 \uad8c\uace0\uac00 \uacf5\uac1c\ub410\ub2e4. \uacf5\uaca9\uc790\ub294 \uc870\uc791\ub41c WebSocket upgrade \uc694\uccad\uc744 \uc774\uc6a9\ud574 \uc11c\ubc84\uac00 \uc784\uc758\uc758 \ub0b4\ubd80 \ub610\ub294 \uc678\ubd80 \ubaa9\uc801\uc9c0\ub85c \uc694\uccad\uc744 \ud504\ub85d\uc2dc\ud558\ub3c4\ub85d \ub9cc\ub4e4 \uc218 \uc788\ub2e4. \uc774 \uacbd\uc6b0 \ub0b4\ubd80 \uc11c\ube44\uc2a4\ub098 \ud074\ub77c\uc6b0\ub4dc \uba54\ud0c0\ub370\uc774\ud130 \uc5d4\ub4dc\ud3ec\uc778\ud2b8\uac00 \ub178\ucd9c\ub420 \uc704\ud5d8\uc774 \uc788\ub2e4.\n\n\uc601\ud5a5\uc744 \ubc1b\ub294 \ud328\ud0a4\uc9c0\ub294 npm\uc758 `next`\uc774\uba70, \uc601\ud5a5 \ubc84\uc804\uc740 `>=13.4.13 <15.5.16` \uadf8\ub9ac\uace0 `>=16.0.0 <16.2.5`\ub2e4. \ud328\uce58 \ubc84\uc804\uc740 `15.5.16`, `16.2.5`\ub2e4. Vercel\uc5d0 \ubc30\ud3ec\ub41c \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc740 \uc601\ud5a5\uc744 \ubc1b\uc9c0 \uc54a\ub294\ub2e4\uace0 \uba85\uc2dc\ub418\uc5b4 \uc788\ub2e4. \ud575\uc2ec \ub9ac\uc2a4\ud06c\ub294 \u201c\uc790\uccb4 \ud638\uc2a4\ud305 + \ub0b4\uc7a5 Node.js \uc11c\ubc84 + WebSocket upgrade \ub178\ucd9c\u201d \uc870\ud569\uc774\ub2e4.\n\n\uc218\uc815 \uc0ac\ud56d\uc740 \uae30\uc874 \uc77c\ubc18 HTTP \uc694\uccad\uc5d0 \uc801\uc6a9\ub418\ub358 \uc548\uc804\uc131 \uac80\uc0ac\ub97c WebSocket upgrade \ucc98\ub9ac\uc5d0\ub3c4 \ub3d9\uc77c\ud558\uac8c \uc801\uc6a9\ud558\ub294 \uac83\uc774\ub2e4. \uc774\uc81c upgrade \uc694\uccad\uc740 \ub77c\uc6b0\ud305\uc774 \uba85\uc2dc\uc801\uc73c\ub85c \uc548\uc804\ud55c \uc678\ubd80 rewrite\ub85c \ud45c\uc2dc\ud55c \uacbd\uc6b0\uc5d0\ub9cc \ud504\ub85d\uc2dc\ub41c\ub2e4.\n\n\uc989\uc2dc \uc5c5\uadf8\ub808\uc774\ub4dc\ud560 \uc218 \uc5c6\ub2e4\uba74, origin \uc11c\ubc84\ub97c \uc2e0\ub8b0\ud560 \uc218 \uc5c6\ub294 \ub124\ud2b8\uc6cc\ud06c\uc5d0 \uc9c1\uc811 \ub178\ucd9c\ud558\uc9c0 \uc54a\ub294 \uac83\uc774 \uc6b0\uc120\uc774\ub2e4. WebSocket upgrade\uac00 \ud544\uc694 \uc5c6\ub2e4\uba74 reverse proxy \ub610\ub294 load balancer\uc5d0\uc11c \ud574\ub2f9 \uc694\uccad\uc744 \ucc28\ub2e8\ud55c\ub2e4. \ub610\ud55c origin \uc11c\ubc84\uac00 \ub0b4\ubd80\ub9dd\uc774\ub098 \ud074\ub77c\uc6b0\ub4dc \uba54\ud0c0\ub370\uc774\ud130 \uc11c\ube44\uc2a4\ub85c \uc790\uc720\ub86d\uac8c egress\ud558\uc9c0 \ubabb\ud558\ub3c4\ub85d \uc81c\ud55c\ud558\ub294 \ubc29\uc5b4\uac00 \ud544\uc694\ud558\ub2e4.\n\n\ucde8\uc57d\uc810\uc758 \uc2ec\uac01\ub3c4\ub294 High, CVSS 8.6\uc774\ub2e4. \uacf5\uaca9 \ubca1\ud130\ub294 \ub124\ud2b8\uc6cc\ud06c, \uacf5\uaca9 \ubcf5\uc7a1\ub3c4\ub294 \ub0ae\uace0, \uad8c\ud55c\uc774\ub098 \uc0ac\uc6a9\uc790 \uc0c1\ud638\uc791\uc6a9\uc774 \ud544\uc694 \uc5c6\ub2e4. \uae30\ubc00\uc131 \uc601\ud5a5\uc774 \ub192\uac8c \ud3c9\uac00\ub418\uc5b4 \uc788\ub2e4. CVE ID\ub294 `CVE-2026-44578`\uc774\ub2e4.\n\n\ud504\ub860\ud2b8\uc5d4\ub4dc \ud300 \uad00\uc810\uc5d0\uc11c\uc758 \uccb4\ud06c\ud3ec\uc778\ud2b8\ub294 \ub2e8\uc21c\ud558\ub2e4. Next.js\ub97c \uc790\uccb4 \ud638\uc2a4\ud305\ud55c\ub2e4\uba74 \ud604\uc7ac \ubc84\uc804\uc744 \ud655\uc778\ud558\uace0, \uac00\ub2a5\ud55c \ud55c `15.5.16` \ub610\ub294 `16.2.5` \uc774\uc0c1\uc73c\ub85c \uc62c\ub9b0\ub2e4. \ud2b9\ud788 Cloud Run, ECS, EC2, Kubernetes, bare Node \uc11c\ubc84\ucc98\ub7fc Vercel \ubc16\uc5d0\uc11c Next.js\ub97c \uc6b4\uc601\ud558\ub294 \ud300\uc740 WebSocket upgrade \uacbd\ub85c\uac00 \uc5f4\ub824 \uc788\ub294\uc9c0 reverse proxy \uc124\uc815\uae4c\uc9c0 \uac19\uc774 \ud655\uc778\ud574\uc57c \ud55c\ub2e4. \ubcf4\uc548 \ud328\uce58\ub294 \u201c\ud504\ub860\ud2b8 \ud504\ub808\uc784\uc6cc\ud06c \ubc84\uc804 \uc5c5\u201d\ucc98\ub7fc \ubcf4\uc5ec\ub3c4 \uc2e4\uc81c \uc601\ud5a5 \ubc94\uc704\ub294 \uc778\ud504\ub77c\uc640 \ub124\ud2b8\uc6cc\ud06c \uacbd\uacc4\uae4c\uc9c0 \uc774\uc5b4\uc9c4\ub2e4.\n", "creation_timestamp": "2026-05-17T01:29:38.000000Z"}, {"uuid": "70ff1d05-d37f-4591-ba86-51b8ef86bdac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/84287", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a nextssrf\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a ynsmroztas\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Python\n\u2b50 Star\u6570\u91cf\uff1a 3 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-15 05:55:49\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nNextSSRF \u2014 CVE-2026-44578 Scanner & Exploit \u2551 \u2551 Next.js WebSocket Upgrade Handler SSRF\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-15T06:00:04.000000Z"}, {"uuid": "274c57fe-24ab-4137-bb3b-1fd742a30c3a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "confirmed", "source": "https://github.com/projectdiscovery/nuclei-templates/tree/main/javascript/cves/2026/CVE-2026-44578.yaml", "content": "", "creation_timestamp": "2026-05-15T19:59:08.000000Z"}, {"uuid": "0e5dbe12-4b5a-4f8f-be63-ca7509d15887", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "published-proof-of-concept", "source": "Telegram/tjgrzpu_dxl6dwKI7zyqcFMKKJNj87hWK2Sc-mpFVOelTAw", "content": "", "creation_timestamp": "2026-05-15T09:00:04.000000Z"}, {"uuid": "70e7de3e-365c-4bc6-bc42-e5d33f01458b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://gist.github.com/hahwul/e82a1e91f75872e43287743d4a15d035", "content": "id: nextjs-websocket-upgrade-ssrf-ghsa-c4j6\n\ninfo:\n name: Next.js WebSocket Upgrade SSRF (GHSA-c4j6-fc7j-m34r / CVE-2026-44578)\n author: hahwul\n severity: high\n description: |\n Detects Next.js instances vulnerable to SSRF via malformed WebSocket upgrade \n request with absolute-form request-URI[](http:///).\n \n The vulnerable resolveRoutes + upgrade handler collapses // and proxies to \n localhost:80/443. Response starting with \"HTTP/1.\" or containing \n \"Internal Server Error\" indicates the SSRF path was triggered.\n \n Affected versions: next >=13.4.13 <15.5.16, >=16.0.0 <16.2.5\n \n Note: Front-end proxies (nginx/Apache/CDN) may return similar errors \n for absolute-URI requests, causing false positives. Use the original \n Python verifier (verify_ghsa_c4j6.py) with control probe for accurate \n in-band confirmation.\n reference:\n - https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r\n tags: cve,cve2026,nextjs,ssrf,websocket,intrusive\n\nvariables:\n # \uae30\ubcf8 \ud14c\uc2a4\ud2b8 \uacbd\ub85c (\ud544\uc694\uc2dc -var path=xxx \ub85c override)\n path: \"x\"\n\nrequests:\n - raw:\n - |\n GET http:///{{path}} HTTP/1.1\n Host: {{Hostname}}\n Connection: Upgrade\n Upgrade: websocket\n Sec-WebSocket-Version: 13\n Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\n\n # \uc5ec\ub7ec \uacbd\ub85c\ub97c \ud55c \ubc88\uc5d0 \ud14c\uc2a4\ud2b8\ud558\uace0 \uc2f6\uc744 \ub54c \uc544\ub798 payloads \uc8fc\uc11d \ud574\uc81c\n # payloads:\n # path:\n # - x\n # - \"\"\n # - healthz\n # - status\n # - metrics\n # - actuator/health\n # - admin\n # - .env\n # - server-status\n # - stub_status\n # - nginx_status\n # - wp-login.php\n # - api/v1\n # - debug/pprof\n # - _next/static\n\n matchers:\n - type: regex\n regex:\n - '^HTTP/1\\.[0-9] '\n part: raw\n - type: word\n words:\n - \"Internal Server Error\"\n part: body\n matchers-condition: or\n\n redirects: false\n max-redirects: 0\n threads: 10", "creation_timestamp": "2026-05-15T00:16:17.000000Z"}, {"uuid": "ca18eb0f-5454-467e-b9c1-2e94f999ec8b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "published-proof-of-concept", "source": "Telegram/bDRsekGT6KsUOKSAQI-KSXDhypQzzgL-gjqbTcCXe2h_h6A", "content": "", "creation_timestamp": "2026-05-15T21:00:05.000000Z"}, {"uuid": "45bb4918-4ac0-4a56-a630-032aa2e259bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://t.me/GithubRedTeam/84487", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-44578\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a 0xBlackash\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-16 17:47:13\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nCVE-2026-44578\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-16T18:00:04.000000Z"}, {"uuid": "53861e9a-a51d-4f76-b77f-b1b7e15b823b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "published-proof-of-concept", "source": "Telegram/8zfghiqhdMgUnQpN-sW_sONu8d5R6D_u0VHsC67HR3Je1Bs", "content": "", "creation_timestamp": "2026-05-16T15:00:07.000000Z"}, {"uuid": "a72bc5fe-de3f-4d38-b324-0a96434fb8b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "published-proof-of-concept", "source": "Telegram/M2s3PphtTCD9brru-X6QMyPesFMqQlhfbVnnLWpusEfiV5g", "content": "", "creation_timestamp": "2026-05-16T21:00:04.000000Z"}, {"uuid": "460b4e43-81b0-41e2-866f-19bd0d260969", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mm3yt3zq6i2h", "content": "\ud83d\udccc CVE-2026-44578 - Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the b... https://www.cyberhub.blog/cves/CVE-2026-44578", "creation_timestamp": "2026-05-18T04:07:25.339719Z"}, {"uuid": "921df47b-92ba-43ad-a242-565da6b8b640", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-44578", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/116608593313654495", "content": "https://horizon3.ai/attack-research/vulnerabilities/cve-2026-44578/\n\nCVE-2026-44578 is a High-severity server-side request forgery vulnerability affecting self-hosted Next.js applications that use the built-in Node.js server. The vulnerability exists in WebSocket upgrade request handling, where crafted requests can cause the server to proxy connections to arbitrary internal or external destinations. Vercel-hosted deployments are not affected.\n#fuckJavaScript", "creation_timestamp": "2026-05-20T19:38:49.158341Z"}]}