Medium severity5.4GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44576
CVE-2026-44576
Description
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 14.2.0, < 15.5.16 | 15.5.16 |
nextnpm | >= 16.0.0, < 16.2.5 | 16.2.5 |
Affected products
4- osv-coords2 versions
< 0.51.0-r7+ 1 more
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: >= 14.2.0, < 15.5.16
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.