Tag
#nextjs
2 posts tagged #nextjs.
-
Analysis · May 14, 2026 · Colten Anderson
Vercel shipped the framework. You're shipping the patch
CVE-2026-44578 is a CVSS 8.6 SSRF in self-hosted Next.js. The fix for 13.x and 14.x users is a major-version migration, filed against your product team as a Dependabot chore.
-
Analysis · May 5, 2026 · Colten Anderson
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.