Share
## https://sploitus.com/exploit?id=3AC8A3A3-D354-5C33-AC06-C1420289BA8D
# patch-to-exploit
Lab + PoC scripts for ["30 minutes from patch to exploit"](https://blog.himanshuanand.com/2026/05/30-minutes-from-patch-to-exploit/).
Five CVEs. Five exploits derived from public patch diffs. Slowest took 30 minutes. Fastest took two.
| CVE | Target | Bug | Severity | PoC |
|---|---|---|---|---|
| CVE-2026-44578 | Next.js | SSRF via WebSocket upgrade | High 8.6 | `pocs/01-nextjs-ssrf.py` |
| CVE-2026-44579 | Next.js | DoS via `Next-Resume` header | High 7.5 | `pocs/03-nextjs-cache-dos.sh` |
| CVE-2026-44577 | Next.js | Image optimizer OOM | Moderate 5.9 | `pocs/02-nextjs-image-dos.sh` |
| CVE-2026-44574 | Next.js | Middleware auth bypass | High 8.1 | Analysis only (see blog) |
| CVE-2026-9082 | Drupal | SQL injection (core) | Critical 9.8 | `pocs/04-drupal-sqli.py` |
## setup
```bash
cd labs
bash setup.sh          # creates test files + builds images
docker compose up -d   # starts everything
```
**What runs:**
- `localhost:3000` -- Next.js 15.5.15 (vulnerable)
- `localhost:8080` -- Drupal 11.2.11 (vulnerable, needs install wizard)
- `internal-service:8888` -- canary (Docker-internal only, SSRF target)
**Drupal one-time setup:** visit `localhost:8080`, complete the wizard. DB: `drupal`/`drupal`/`drupal`, host: `drupal-db`.
## run
```bash
python3 pocs/01-nextjs-ssrf.py                          # SSRF
bash pocs/02-nextjs-image-dos.sh 127.0.0.1 3000         # Image DoS
bash pocs/03-nextjs-cache-dos.sh 127.0.0.1 3000         # Cache DoS
python3 pocs/04-drupal-sqli.py --host 127.0.0.1 --port 8080  # SQLi
```
## cleanup
```bash
cd labs && docker compose down -v
```
## disclaimer
Educational and authorized research only, all tests run against local Docker containers no external targets touched