New security vulnerabilities disclosed in Next.js (patches released)

Next.js v16.2.6 버전에서 다수의 보안 취약점이 공개되어 패치가 릴리스되었다. 주요 취약점은 서버 컴포넌트의 서비스 거부(DoS), 미들웨어 및 프록시 우회, 서버사이드 요청 위조(SSRF), 크로스사이트 스크립팅(XSS), 캐시 중독 등이며, App Router와 Pages Router 모두 영향을 받는다. 이번 보안 업데이트는 Next.js를 사용하는 AI 서비스 및 웹 애플리케이션 개발자에게 즉시 적용이 권장된다.

https://github.com/vercel/next.js/releases/tag/v16.2.6

#nextjs #security #dos #ssrf #xss

Почему ваша LLM-платформа — следующая цель: аудит безопасности AI-сервиса изнутри

Мы искали уязвимости в RAG-платформе с десятками тысяч пользователей — а нашли доступ ко всей инфраструктуре и API-ключам с бюджетом в сотни тысяч долларов. Две недели мы строили сложные цепочки: SSRF через LangChain, инъекции в промпты, HTTP smuggling, CVE в десериализации. Ни одна не дала результата. А потом мы сделали один curl к открытому порту — и получили все ключи за 5 минут. Эта статья — не гайд по взлому . Это разбор того, почему LLM-инфраструктура создаёт принципиально новые риски, какие ошибки мы раз за разом видим в AI-стартапах, и на что стоит обратить внимание, если вы строите что-то похожее.

https://habr.com/ru/articles/1029822/

#пентест #LLM #SSRF #JWT #Docker #LangChain #AI_Security #аудит_безопасности #RAG #APIключи

LMDeploy Vulnerability Exploited Within 13 Hours of Disclosure

A critical vulnerability in LMDeploy's vision-language module was exploited in the wild just 13 hours after its disclosure, allowing attackers to access sensitive resources and internal networks. This server-side request forgery flaw, tracked as CVE-2026-33626, affects all versions of the toolkit prior to 0.12.0.

https://osintsights.com/lmdeploy-vulnerability-exploited-within-13-hours-of-disclosure?utm_source=mastodon&utm_medium=social

#ServersideRequestForgery #Ssrf #Lmdeploy #Cve202633626 #VulnerabilityExploitation

📰 Critical Flaw in Axios Library Puts Countless Web Apps at Risk of RCE

🚨 CRITICAL VULNERABILITY (CVSS 10.0) in Axios JS library! CVE-2026-40175 is an SSRF flaw that can lead to RCE and full cloud compromise. PoC is public. If you use Axios, update to v1.13.2 NOW! 🌐 #SupplyChain #RCE #SSRF

🔗 https://cyber.netsecops.io/articles/critical-axios-library-vulnerability-cve-2026-40175-allows-rce/?utm_source=mastodon&utm_medium=social&utm_campaign=twitter_auto

🛡️ Now Announcing: A New Cybersecurity Session at BSides Luxembourg

🧪📂 𝗪𝗛𝗘𝗡 𝗙𝗜𝗟𝗘𝗡𝗔𝗠𝗘𝗦 𝗕𝗘𝗖𝗢𝗠𝗘 𝗔𝗧𝗧𝗔𝗖𝗞 𝗦𝗨𝗥𝗙𝗔𝗖𝗘𝗦: 𝗪𝗘𝗔𝗣𝗢𝗡𝗜𝗭𝗜𝗡𝗚 𝗡𝗔𝗦𝗔’𝗦 𝗖𝗙𝗜𝗧𝗦𝗜𝗢 𝗘𝗫𝗧𝗘𝗡𝗗𝗘𝗗 𝗙𝗜𝗟𝗘𝗡𝗔𝗠𝗘 𝗦𝗬𝗡𝗧𝗔𝗫 – Adrian Denkiewicz ( @Adenkiewicz )

🧨 Turn filenames into attack vectors in this Talk (40 min) by uncovering how hidden parsing features can enable SSRF, file access, and data exposure.

What looks like a simple filename can actually be a powerful mini-language. This talk dives into CFITSIO’s Extended Filename Syntax (EFS), a feature widely embedded in scientific and imaging software, and shows how it silently expands the attack surface through built-in capabilities like virtual file handling, filtering, and network access.

Through original research, discover how these legitimate features can be abused to perform arbitrary file operations, trigger SSRF, and expose sensitive data—all without exploiting traditional memory corruption bugs. This session highlights how overlooked functionality in widely used libraries can introduce systemic risks across the software supply chain.

Adrian Denkiewicz ( @Adenkiewicz ) is an Offensive Security Expert and security consultant with experience spanning financial, e-commerce, and semiconductor industries. Currently a Staff Application Engineer at Doyensec, he specializes in application security, red teaming, and uncovering complex vulnerabilities in real-world systems.

📅 Conference Dates: 6–8 May 2026 | 09:00–18:00
📍 14, Porte de France, Esch-sur-Alzette, Luxembourg
🎟️ Tickets: https://2026.bsides.lu/tickets/

📅 Schedule Link: https://pretalx.com/bsidesluxembourg-2026/schedule/

📲 View full schedule & build your agenda: https://hackertracker.app/schedule?conf=BSIDESLUX2026

#BSidesLuxembourg2026 #AppSec #SecureDevelopment #SSRF #SoftwareSecurity #CyberSecurity

Papra, a self-hosted document organizer, added SSRF protection for webhooks—blocking private/reserved IPs by default with allowlisting for local services. Its a small but important security improvement that shows self-hosted projects taking infrastructure security seriously. Allowlisting is the right approach. 📄🔒

#selfhosted #security #opensource #SSRF

Source: https://fosstodon.org/@dbtechyt

WIZ Bug Bounty Master Class: SSRF Vulnerability on Major Gaming Company
This vulnerability is an SSRF (Server Side Request Forgery) in a major gaming company's application. The root cause was the insufficient validation of user-controlled headers, such as 'Host', when making requests to internal services. By crafting payloads that leveraged this flaw, such as '<http://10.0.0.1> <http://internal.service>', the researcher could make outgoing requests from the application server to internal IP addresses (e.g., 10.0.0.1) and bypass network-level access controls. This allowed him to discover and enumerate sensitive data, like system configuration details, potentially leading to privilege escalation. The attacker received $5,000 for reporting the vulnerability. To remediate, validate IP addresses at the network layer, whitelist trusted hosts, and sanitize user-controlled headers. Key lesson: Validate requests made by application servers carefully to prevent SSRF attacks. #BugBounty #Cybersecurity #WebSecurity #SSRF

https://jareddouville.medium.com/wiz-bug-bounty-master-class-ssrf-vulnerability-on-major-gaming-company-abd846fcf291?source=rss------bug_bounty-5