Next.js May 2026 security release

Next.js와 React는 13건의 보안 취약점을 해결하는 2026년 5월 보안 릴리스를 발표했다. 주요 이슈는 인증 우회, 서비스 거부(DoS), 서버 측 요청 위조(SSRF), 캐시 오염, 교차 사이트 스크립팅(XSS) 등이며, React Server Components 관련 CVE-2026-23870도 포함된다. 모든 영향을 받는 사용자는 즉시 패치된 버전으로 업그레이드해야 하며, WAF 규칙으로는 완전한 차단이 불가능하다. 이번 릴리스는 Next.js 13.x, 14.x, 15.x, 16.x 및 react-server-dom-* 패키지에 적용된다.

https://vercel.com/changelog/next-js-may-2026-security-release

#nextjs #react #security #ssrf #dos

New security vulnerabilities disclosed in Next.js (patches released)

Next.js v16.2.6 버전에서 다수의 보안 취약점이 공개되어 패치가 릴리스되었다. 주요 취약점은 서버 컴포넌트의 서비스 거부(DoS), 미들웨어 및 프록시 우회, 서버사이드 요청 위조(SSRF), 크로스사이트 스크립팅(XSS), 캐시 중독 등이며, App Router와 Pages Router 모두 영향을 받는다. 이번 보안 업데이트는 Next.js를 사용하는 AI 서비스 및 웹 애플리케이션 개발자에게 즉시 적용이 권장된다.

https://github.com/vercel/next.js/releases/tag/v16.2.6

#nextjs #security #dos #ssrf #xss

Почему ваша LLM-платформа — следующая цель: аудит безопасности AI-сервиса изнутри

Мы искали уязвимости в RAG-платформе с десятками тысяч пользователей — а нашли доступ ко всей инфраструктуре и API-ключам с бюджетом в сотни тысяч долларов. Две недели мы строили сложные цепочки: SSRF через LangChain, инъекции в промпты, HTTP smuggling, CVE в десериализации. Ни одна не дала результата. А потом мы сделали один curl к открытому порту — и получили все ключи за 5 минут. Эта статья — не гайд по взлому . Это разбор того, почему LLM-инфраструктура создаёт принципиально новые риски, какие ошибки мы раз за разом видим в AI-стартапах, и на что стоит обратить внимание, если вы строите что-то похожее.

https://habr.com/ru/articles/1029822/

#пентест #LLM #SSRF #JWT #Docker #LangChain #AI_Security #аудит_безопасности #RAG #APIключи

LMDeploy Vulnerability Exploited Within 13 Hours of Disclosure

A critical vulnerability in LMDeploy's vision-language module was exploited in the wild just 13 hours after its disclosure, allowing attackers to access sensitive resources and internal networks. This server-side request forgery flaw, tracked as CVE-2026-33626, affects all versions of the toolkit prior to 0.12.0.

https://osintsights.com/lmdeploy-vulnerability-exploited-within-13-hours-of-disclosure?utm_source=mastodon&utm_medium=social

#ServersideRequestForgery #Ssrf #Lmdeploy #Cve202633626 #VulnerabilityExploitation

📰 Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE

🚨 CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! 🌐 #SupplyChain #RCE #SSRF

🔗 https://cyber.netsecops.io/articles/critical-axios-library-vulnerability-cve-2026-40175-allows-rce/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

🛡️ Now Announcing: A New Cybersecurity Session at BSides Luxembourg

🧪📂 𝗪𝗛𝗘𝗡 𝗙𝗜𝗟𝗘𝗡𝗔𝗠𝗘𝗦 𝗕𝗘𝗖𝗢𝗠𝗘 𝗔𝗧𝗧𝗔𝗖𝗞 𝗦𝗨𝗥𝗙𝗔𝗖𝗘𝗦: 𝗪𝗘𝗔𝗣𝗢𝗡𝗜𝗭𝗜𝗡𝗚 𝗡𝗔𝗦𝗔’𝗦 𝗖𝗙𝗜𝗧𝗦𝗜𝗢 𝗘𝗫𝗧𝗘𝗡𝗗𝗘𝗗 𝗙𝗜𝗟𝗘𝗡𝗔𝗠𝗘 𝗦𝗬𝗡𝗧𝗔𝗫 – Adrian Denkiewicz ( @Adenkiewicz )

🧨 Turn filenames into attack vectors in this Talk (40 min) by uncovering how hidden parsing features can enable SSRF, file access, and data exposure.

What looks like a simple filename can actually be a powerful mini-language. This talk dives into CFITSIO’s Extended Filename Syntax (EFS), a feature widely embedded in scientific and imaging software, and shows how it silently expands the attack surface through built-in capabilities like virtual file handling, filtering, and network access.

Through original research, discover how these legitimate features can be abused to perform arbitrary file operations, trigger SSRF, and expose sensitive data—all without exploiting traditional memory corruption bugs. This session highlights how overlooked functionality in widely used libraries can introduce systemic risks across the software supply chain.

Adrian Denkiewicz ( @Adenkiewicz ) is an Offensive Security Expert and security consultant with experience spanning financial, e-commerce, and semiconductor industries. Currently a Staff Application Engineer at Doyensec, he specializes in application security, red teaming, and uncovering complex vulnerabilities in real-world systems.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/

📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/

📲 View full schedule & build your agenda: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #AppSec #SecureDevelopment #SSRF #SoftwareSecurity #CyberSecurity

Papra, a self-hosted document organizer, added SSRF protection for webhooks—blocking private/reserved IPs by default with allowlisting for local services. Its a small but important security improvement that shows self-hosted projects taking infrastructure security seriously. Allowlisting is the right approach. 📄🔒

#selfhosted #security #opensource #SSRF

Source: https://fosstodon.org/@dbtechyt