High severity7.5NVD Advisory· Published May 6, 2026· Updated May 7, 2026

CVE-2026-23870

Description

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

Affected products

Naturalintelligence/React Server Dom Turbopackinferred
Range: >=19.0.0,<=19.2.5
Package: https://npmjs.com/package/react-server-dom-turbopack

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rv78-f8rc-xrxhghsaADVISORY
github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxhnvd
github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fjghsa
github.com/vitejs/vite-plugin-react/security/advisories/GHSA-w94c-4vhp-22gxghsa
nvd.nist.gov/vuln/detail/CVE-2026-23870ghsa

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000