ModatMagnify | 笨蛋三月七的日常互联网搬💩集散地BGP 分频: @bakanetwork内频:https://t.me/+KeNZttiOmFtlZjE1「愿你在未来与我的既往重逢」https://broadcastchannel-95o.pages.dev#碎碎念 #前端 #安全 #新动态看乐了,还好我已经远离 Next.js 了CVE-2026-44578 CVE-2026-44578 ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6) A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler. By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data. Affected: Next.js 13.4.13+, 14.x, 15.x <15.5.16, 16.0.0–16.2.4 Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.  Modat Magnify Query: technology="Next.js" The platform: https://broadcastchannel-95o.pages.dev/posts/2230https://broadcastchannel-95o.pages.dev/posts/2230Thu, 14 May 2026 14:24:37 GMT<div> <img src="https://cdn5.telesco.pe/file/J5wyT94ea9YyWIE2AjvteHEDK8p2CY7X6jJGj1TlpZvStmMR0EYYIfLlU6ouv8ThbAtE2T4Q5TvLdB1ZXG_2qG9Pm709aF4A5l5Ag-lx7TBUOjz4as8FVXPlNA5Ep4RUoUIoXKuII3yiQwVCeZJom9ihDUHC17px51a2Atn2lsYMC83uhayBvLn6iLUI0dUAT30t62eTW9otYt1zOkJLq02Rkv1BLrXmZYxeApWncMB0SfqRlGtnI8iE_lM26pZJxVqTvlxodJVxrBjsn_Pnf62w9y8I48VOqr-ReAPFwanAkK6ObuplHGhWpg_WUOkKw4vKTQnN07zu-JbfI2xdBg.jpg" alt="#碎碎念 #前端 #安全 #新动态看乐了,还好我已经远离 Next.js 了CVE-2026-44578 CVE-2026-44578 ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6) A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler. By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data. Affected: Next.js 13.4.13+, 14.x, 15.x &lt;15.5.16, 16.0.0–16.2.4 Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.  Modat Magnify Query: technology=" loading="lazy" /> </div><a href="/search/%23%E7%A2%8E%E7%A2%8E%E5%BF%B5">#碎碎念</a> <a href="/search/%23%E5%89%8D%E7%AB%AF">#前端</a> <a href="/search/%23%E5%AE%89%E5%85%A8">#安全</a> <a href="/search/%23%E6%96%B0%E5%8A%A8%E6%80%81">#新动态</a><br />看乐了,还好我已经远离 Next.js 了<br /><br /><a href="https://x.com/modat_magnify/status/2054848379339837850" target="_blank">CVE-2026-44578 </a><br /><blockquote>CVE-2026-44578 <br /><i><b>⚠️</b></i> Next.js – WebSocket Upgrade SSRF (CVSS 8.6) <br /><br />A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler. <br />By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data. <br /><br />Affected: Next.js 13.4.13+, 14.x, 15.x &lt;15.5.16, 16.0.0–16.2.4 <br /><br />Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.  <br /><br />Modat Magnify Query: <br />technology="Next.js" <br /><br />The platform: <br /><a href="https://magnify.modat.io/" target="_blank">https://magnify.modat.io/</a> <br /><br /><a href="/search/%23threatintel">#threatintel</a> <a href="/search/%23vulnerability">#vulnerability</a> <a href="/search/%23CVE202644578">#CVE202644578</a> <a href="/search/%23Nextjs">#Nextjs</a> <a href="/search/%23SSRF">#SSRF</a> <a href="/search/%23WebSocket">#WebSocket</a> <a href="/search/%23CloudSecurity">#CloudSecurity</a> <a href="/search/%23infosec">#infosec</a> <a href="/search/%23Critical">#Critical</a> <a href="/search/%23ModatMagnify">#ModatMagnify</a></blockquote><br /><br />最近 CVE 好 热 闹 啊