Low severity3.7GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44582

Description

Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.

Affected products

Vercel/Next.jsGHSA
Range: >= 16.0.0, < 16.2.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vfv6-92ff-j949ghsaADVISORY
github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949nvdMitigationVendor Advisory
github.com/vercel/next.js/releases/tag/v15.5.16ghsa
github.com/vercel/next.js/releases/tag/v16.2.5ghsa
nvd.nist.gov/vuln/detail/CVE-2026-44582ghsa

News mentions

The Good, the Bad and the Ugly in Cybersecurity – Week 19
SentinelOne Labs · May 8, 2026

cvss	0.240
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000