Originally published at devtoolpicks.com A security research team at Hadrian published a deep-dive yesterday confirming that approximately 79,000 self-hosted Next.js instances are currently exploitable via CVE-2026-44578, a critical server-side request forgery vulnerability in Next.js's WebSocket upgrade handler. The flaw was first disclosed on May 11, 2026 but gained significant traction after the Shodan scan data went public. If you deploy Next.js on Railway, Coolify, Render, or any bare VPS setup, this is relevant to you. If you host on Vercel, you are not affected. What Is CVE-2026-44578? The vulnerability lives in how Next.js handles WebSocket upgrade requests when using the built-in Node.js server. An attacker sends a crafted HTTP request with an Upgrade: websocket header pointing at an internal destination. The Next.js server, without any authentication check, proxies that request to wherever the attacker specifies.…