CVE-2026-44582

Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*

History

14 May 2026, 18:15

Type	Values Removed	Values Added
References	~~() https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949 -~~	() https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949 - Mitigation, Vendor Advisory
First Time		Vercel next.js Vercel
CPE		cpe:2.3:a:vercel:next.js::::::node.js::*

13 May 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 18:16

Updated : 2026-05-14 18:15

NVD link : CVE-2026-44582

Mitre link : CVE-2026-44582

CVE.ORG link : CVE-2026-44582

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-328

Use of Weak Hash

3.7 /10