High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44579
CVE-2026-44579
Description
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 15.0.0, < 15.5.16 | 15.5.16 |
nextnpm | >= 16.0.0, < 16.2.5 | 16.2.5 |
Affected products
4- osv-coords2 versions
< 0.51.0-r7+ 1 more
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: >= 15.0.0, < 15.5.16
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-mg66-mrh9-m8jxghsaADVISORY
- github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jxnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44579ghsaADVISORY
- github.com/vercel/next.js/releases/tag/v15.5.16ghsaWEB
- github.com/vercel/next.js/releases/tag/v16.2.5ghsaWEB
News mentions
1- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026