CVE-2026-44576

Published: Mag 13, 2026 Last Modified: Mag 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,4

Source: [email protected]

Attack Vector: network

Attack Complexity: high

Privileges Required: none

User Interaction: none

Scope: changed

Confidentiality: none

Integrity: low

Availability: low

Description

AI Translation Available

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

436

Interpretation Conflict

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Unexpected State Varies By Context

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/vercel/next.js/security/advisories/GHSA-…

https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7

CVE-2026-44576

Description

Interpretation Conflict

Common Consequences

Applicable Platforms

Iscriviti alla newsletter