CVE-2026-44576

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*

History

14 May 2026, 13:44

Type	Values Removed	Values Added
References	~~() https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7 -~~	() https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7 - Vendor Advisory
CPE		cpe:2.3:a:vercel:next.js::::::node.js::*
First Time		Vercel next.js Vercel

13 May 2026, 17:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 17:16

Updated : 2026-05-14 13:44

NVD link : CVE-2026-44576

Mitre link : CVE-2026-44576

CVE.ORG link : CVE-2026-44576

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-436

Interpretation Conflict

5.4 /10