SecuriTricks - CVE-2026-44576

Description

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

Product(s) Impacted

Vendor	Product	Versions
Vercel	Next.js	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-436

Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	vercel	next.js	/	/	/	/	/	node.js	/	/
a	vercel	next.js	/	/	/	/	/	node.js	/	/

References

https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7

CVSS Score

5.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

View Vector String

Timeline

Published: May 13, 2026, 5:16 p.m.
Last Modified: May 14, 2026, 1:44 p.m.

Status : Analyzed

CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.

More info

Source

[email protected]

CVE-2026-44576