CVE-2026-44576

MEDIUM LAB

Next.js: Cache poisoning in React Server Component responses

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44576. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional exploit proof-of-concept code for multiple CVEs affecting Next.js v16.2.4, including SSRF, XSS, DoS, and cache poisoning vulnerabilities. The PoCs are well-documented with detailed writeups, vulnerable code excerpts, and harnesses for testing.

Description

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional exploit proof-of-concept code for multiple CVEs affecting Next.js v16.2.4, including SSRF, XSS, DoS, and cache poisoning vulnerabilities. The PoCs are well-documented with detailed writeups, vulnerable code excerpts, and harnesses for testing.

Classification

Working Poc 95%

Attack Type

Ssrf | Xss | Dos | Auth Bypass | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059.007 - JavaScript T1189 - Drive-by Compromise T1499 - Endpoint Denial of Service T1078 - Valid Accounts T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44576_GHSA-wfc6-r584-vfw7

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44576, demonstrating an RSC HTML cache poisoning vulnerability in Next.js versions prior to 16.2.5. The exploit leverages a loose RSC header check and URL-suffix misclassification to poison shared CDN caches, serving RSC binary payloads as text/html.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Next.js < 16.2.5

No auth needed

Prerequisites: Next.js deployment with cache components enabled · Dynamic route segment with query parameters

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7

Scores

CVSS v3 5.4

EPSS 0.0002

EPSS Percentile 4.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-436

Status published

Products (5)

npm/next 14.2.0 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 14.2.0 - 15.5.16

vercel/next.js >= 14.2.0, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026