CVE-2026-44578HIGH 8.6EPSS p84.8%

CVE-2026-44578CVE-2026-44578

Description

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS2.83% probability of exploitation · percentile 84.8% · 2026-06-19T12:03:05Z
Published2026-05-13
Last modified2026-05-14

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-57822
CVE
CVE-2026-44574
CVE
CVE-2025-29927
CVE
CVE-2025-6087
CVE
CVE-2026-42353
CVE
CVE-2026-41690
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.