`Next.js` security release patches 13 flaws; upgrade to `15.5.18` or `16.2.6`

This fixes 13 issues across auth bypass, DoS, SSRF, cache poisoning, and XSS, with no reliable WAF fallback. If you run middleware.js, Server Functions, Image Optimization, or RSC caching, this is an immediate patch cycle.

[ KEY POINTS ]

Authorization paths are exposed in multiple ways: middleware.js/proxy.js apps are affected by segment-prefetch, i18n default-locale, and dynamic route injection bypasses.
Runtime risk is broad, not edge-case: DoS hits React Server Components, Cache Components, and the Image Optimization API, so default framework features are in scope.
WebSocket upgrade handling has an SSRF advisory. Any app bridging internal services through upgrade requests should treat this as perimeter-breaking.
Caching setups need scrutiny twice: one advisory targets RSC response poisoning, another targets collisions in RSC cache-busting. CDN or reverse-proxy stacks are not neutral here.
Fixed targets are explicit: upgrade Next.js 15.x to 15.5.18, 16.x to 16.2.6, and matching react-server-dom-* packages to 19.0.6 / 19.1.7 / 19.2.6.

Originalvercel.com/changelog/next-js-may-2026-security-releaseRead original →

// related

#0001
#0001Infra & SaaS RevenueCat Blog24 hours ago
`RevenueCat` Adds Flexible Discounts for Web Billing
60radar
RevenueCatSubscription billing infra — unified app and web subscriptions
Web subscriptions can now use percentage discounts, promo codes, and win-back offers. Useful for churn recovery and price testing without wiring discount logic yourself.
- Percentage-off discounts and promo codes now apply to RevenueCat web subscribers, reducing custom billing work.
- Win-back offers target cancelled or lapsed users. That gives churn recovery a built-in path instead of ad hoc email-only campaigns.
- The scope is web billing, not App Store pricing. Best fit is a paid web checkout where discount tests can move quickly.
Source: www.revenuecat.com/blog/company/flexible-discounts-web-bRead original →
FIG-0011:1
60radar
FIG-0011:1
#0002
#0002Infra & SaaS GeekNews3 days ago
`Stripe Link CLI` Lets AI Agents Pay on a User's Behalf
70radar
Stripe Link CLIPayment CLI — one-time credentials from a Link wallet
Agents can receive one-time payment credentials from a Link wallet without storing raw card data. Useful for agentic commerce experiments; production value depends on merchant support.
- Issues one-time credentials from a Link wallet, so agents can complete purchases without keeping actual card details.
- Supports two credential types: broadly usable virtual card PAN and an S... option based on Machine Payment Protocols.
- This is payment infrastructure, not just automation. It opens tests for delegated checkout, procurement bots, and agent-run SaaS workflows.
Source: news.hada.io/topic?id=29579Read original →
FIG-0021:1
70radar
FIG-0021:1
#0003
#0003Infra & SaaS vercel_blog5 days ago
`AI Gateway` adds request-time provider ranking controls
80radar
AI GatewayAI routing service — failover across model providers
Routing can now optimize on price, first-token latency, or throughput at request time instead of Vercel's blended default. Useful when one model has many providers and the cheapest or fastest route materially changes margin or UX.
- Set sort on providerOptions.gateway to 'cost', 'ttft', or 'tps' depending on whether margin, snappiness, or long-output speed matters most.
- Ranking is computed at request time, so newly added providers, price changes, and observed latency shifts flow through without code changes.
- Fallback is strict: providers are attempted in sorted order, and the next one is used only if the higher-ranked provider is unavailable.
- sort works with Zero Data Retention filtering and with order; pinned providers stay first, then the rest follow the chosen ranking.
- Each response exposes routing metadata with a sort block showing candidates, metric values, attempt order, and health-based deprioritization for debugging.
Source: vercel.com/changelog/sort-providers-by-cost-latency-or-tRead original →
FIG-0031:1
80radar
FIG-0031:1

`Next.js` security release patches 13 flaws; upgrade to `15.5.18` or `16.2.6`

// related

`RevenueCat` Adds Flexible Discounts for Web Billing

`Stripe Link CLI` Lets AI Agents Pay on a User's Behalf

`AI Gateway` adds request-time provider ranking controls