CVE-2026-44576 — MEDIUM (5.4)

Q: How severe is CVE-2026-44576?

CVE-2026-44576 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-44576?

Check the references section above for vendor advisories and patch information. Affected products include: Vercel Next.Js.

Vulnerability Description

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Vercel	Next.Js	>= 14.2.0, < 15.5.16

Related Weaknesses (CWE)

CWE-436

References

https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7Vendor Advisory

FAQ

What is CVE-2026-44576?

CVE-2026-44576 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when sh...

How severe is CVE-2026-44576?

CVE-2026-44576 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-44576?

Check the references section above for vendor advisories and patch information. Affected products include: Vercel Next.Js.