What is the CVSS score of CVE-2026-44576?

CVE-2026-44576 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-44576?

Yes, a patch is available for CVE-2026-44576. Update the affected software to the latest version immediately.

Next.js CVE-2026-44576

MEDIUM

Interpretation Conflict (CWE-436)

2026-05-11 https://github.com/vercel/next.js

GHSA-wfc6-r584-vfw7

Information Disclosure

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 16:17 vuln.today

Analysis Generated

May 11, 2026 - 16:17 vuln.today

CVE Published

May 11, 2026 - 15:54 nvd

MEDIUM 5.4

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

4,044 npm packages depend on next (62 direct, 3,985 indirect)

Ecosystem-wide dependent count for version 14.2.0.

DescriptionNVD

Impact

Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.

Fix

We now validate and interpret RSC request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.

Workarounds

If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors Vary, or disable shared caching for affected App Router and RSC responses.

AnalysisAI

Cache poisoning in React Server Components allows remote attackers to serve malicious RSC payloads from legitimate URLs when shared caches (CDNs, reverse proxies) do not properly partition response variants by RSC request headers. An attacker can manipulate cache entries so subsequent legitimate users receive component serialization instead of expected HTML, enabling information disclosure and application malfunction. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44576 vulnerability details – vuln.today

Back

Next.js CVE-2026-44576

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Fix

Workarounds

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code