Exploit for CVE-2026-23870 CVE-2026-23870 CVE-2026-44573 CVE-2026-44574 CVE-2026-44578 CVE-2026-44581 CVE-2026-44582

Name: Exploit for CVE-2026-23870 CVE-2026-23870 CVE-2026-44573 CVE-2026-44574 CVE-2026-44578 CVE-2026-44581 CVE-2026-44582
Rating: 5 (211 reviews)
2026-05-07 | CVSS 7.5
## https://sploitus.com/exploit?id=146F34D4-FCEF-5324-8CFE-5AF0750377F4
# Next.js v16.2.4 Security PoC Collection

This repository collects reverse-engineered proof-of-concept material for the security issues fixed in Next.js `v16.2.5`. The root of the repo holds the release-window analysis, and `poc/` holds one PoC bundle per advisory.

This collection was reverse-engineered with [Neo by ProjectDiscovery](https://neo.projectdiscovery.io). Public workspace: https://neo.projectdiscovery.io/share/d250e203-4313-4be3-b108-837c2f8ea693

All issues covered here are publicly disclosed and patched. The material is intended for defensive research, regression testing, and detection work.

## Repository layout
    
- `SUMMARY.md` - commit-diff analysis for `v16.2.4..v16.2.5`, including the security-relevant commits that led to this collection.
- `poc/README.md` - the full advisory matrix, severity breakdown, hosting-model notes, and the detailed methodology behind the PoCs.
- `poc//` - one directory per GHSA/CVE, usually containing:
  - `README.md` - issue write-up and exploit chain
  - `vulnerable-code.md` - relevant pre-patch source excerpts
  - `patch.diff` - upstream fix or the closest public patch material
  - `exploit.py` and `exploit.sh` - runnable exploit primitives
  - `expected-output.txt` - reference behavior
  - `vulnerable-app/` - a minimal Next.js app or stub service used for reproduction

## Coverage

This repo covers 12 advisories fixed in the `v16.2.4..v16.2.5` release window:

| Directory | Advisory | Severity | Focus |
|---|---|---|---|
| [`poc/CVE-2026-23870_GHSA-8h8q-6873-q5fj/`](./poc/CVE-2026-23870_GHSA-8h8q-6873-q5fj/) | CVE-2026-23870 / GHSA-8h8q-6873-q5fj | High | React server-action stream DoS |
| [`poc/GHSA-267c-6grr-h53f/`](./poc/GHSA-267c-6grr-h53f/) | GHSA-267c-6grr-h53f | High | App Router prefetch middleware bypass |
| [`poc/GHSA-mg66-mrh9-m8jx/`](./poc/GHSA-mg66-mrh9-m8jx/) | GHSA-mg66-mrh9-m8jx | High | `next-resume` connection exhaustion |
| [`poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv/`](./poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv/) | CVE-2026-44574 / GHSA-492v-c6pp-mqqv | High | Dynamic-route and middleware mismatch |
| [`poc/CVE-2026-44578_GHSA-c4j6-fc7j-m34r/`](./poc/CVE-2026-44578_GHSA-c4j6-fc7j-m34r/) | CVE-2026-44578 / GHSA-c4j6-fc7j-m34r | High | WebSocket upgrade SSRF, self-hosted only |
| [`poc/CVE-2026-44573_GHSA-36qx-fr4f-26g5/`](./poc/CVE-2026-44573_GHSA-36qx-fr4f-26g5/) | CVE-2026-44573 / GHSA-36qx-fr4f-26g5 | High | Pages Router i18n data-route bypass |
| [`poc/CVE-2026-44581_GHSA-ffhc-5mcf-pf4q/`](./poc/CVE-2026-44581_GHSA-ffhc-5mcf-pf4q/) | CVE-2026-44581 / GHSA-ffhc-5mcf-pf4q | Moderate | CSP nonce parsing edge case |
| [`poc/GHSA-gx5p-jg67-6x7h/`](./poc/GHSA-gx5p-jg67-6x7h/) | GHSA-gx5p-jg67-6x7h | Moderate | `next/script` `beforeInteractive` XSS |
| [`poc/GHSA-h64f-5h5j-jqjh/`](./poc/GHSA-h64f-5h5j-jqjh/) | GHSA-h64f-5h5j-jqjh | Moderate | Image optimizer decompression bomb, self-hosted only |
| [`poc/GHSA-wfc6-r584-vfw7/`](./poc/GHSA-wfc6-r584-vfw7/) | GHSA-wfc6-r584-vfw7 | Moderate | RSC and HTML cache confusion |
| [`poc/CVE-2026-44582_GHSA-vfv6-92ff-j949/`](./poc/CVE-2026-44582_GHSA-vfv6-92ff-j949/) | CVE-2026-44582 / GHSA-vfv6-92ff-j949 | Low | Weak `_rsc` cache-busting hash |
| [`poc/GHSA-3g8h-86w9-wvmq/`](./poc/GHSA-3g8h-86w9-wvmq/) | GHSA-3g8h-86w9-wvmq | Low | `x-nextjs-data` redirect cache poisoning |

The detailed severity, CVSS, CWE mapping, and hosting applicability live in [`poc/README.md`](./poc/README.md).

## Getting started

1. Read [`SUMMARY.md`](./SUMMARY.md) for the release-window analysis.
2. Read [`poc/README.md`](./poc/README.md) for the full advisory table and attack-surface overview.
3. Pick a PoC directory and start with its local `README.md`.
4. Run the matching exploit against a vulnerable target.

Run a single PoC:

```bash
TARGET=http://localhost:3000 ./poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv/exploit.sh
```

Run the whole collection:

```bash
TARGET=http://localhost:3000 ./poc/run-all.sh
```

Most exploits assume a vulnerable Next.js `v16.2.4` target. Some directories instead ship a small stub service in `vulnerable-app/` when reproducing the bug against a full Next.js install would add too much setup overhead.

## Safety

- Test only against systems you own or are explicitly authorized to assess.
- Upgrade targets to `next@>=16.2.5` to pick up the upstream fixes.
- If your work turns up a new variant, report it privately through the Next.js security process instead of disclosing it in public.