What is the CVSS score of CVE-2026-44582?

CVE-2026-44582 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-44582?

Yes, a patch is available for CVE-2026-44582. Update the affected software to the latest version immediately.

Next.js CVE-2026-44582

LOW

Use of Weak Hash (CWE-328)

2026-05-11 https://github.com/vercel/next.js

GHSA-vfv6-92ff-j949

Information Disclosure

3.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 16:17 vuln.today

Analysis Generated

May 11, 2026 - 16:17 vuln.today

CVE Published

May 11, 2026 - 15:56 nvd

LOW 3.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

23 npm packages depend on next (21 direct, 3 indirect)

Ecosystem-wide dependent count for version 13.4.6.

DescriptionNVD

Impact

React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.

Fix

We strengthened the _rsc cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries.

Workarounds

If you cannot upgrade immediately, ensure intermediary caches correctly honor Vary for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

AnalysisAI

Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44582 vulnerability details – vuln.today

Back

Next.js CVE-2026-44582

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Fix

Workarounds

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code