Low severity3.7GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44582
CVE-2026-44582
Description
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 13.4.6, < 15.5.16 | 15.5.16 |
nextnpm | >= 16.0.0, < 16.2.5 | 16.2.5 |
Affected products
4- osv-coords2 versions
< 0.51.0-r7+ 1 more
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: >= 13.4.6, < 15.5.16
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-vfv6-92ff-j949ghsaADVISORY
- github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44582ghsaADVISORY
- github.com/vercel/next.js/releases/tag/v15.5.16ghsaWEB
- github.com/vercel/next.js/releases/tag/v16.2.5ghsaWEB
News mentions
0No linked articles in our index yet.