CVE-2026-44582

LOW LAB

Next.js: Cache poisoning via collisions in React Server Component cache-busting

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44582. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional exploit proof-of-concept code for multiple Next.js vulnerabilities, including detailed write-ups, vulnerable code excerpts, and patch analysis. The PoCs are structured to demonstrate issues like SSRF, XSS, and cache poisoning in Next.js v16.2.4.

Description

Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional exploit proof-of-concept code for multiple Next.js vulnerabilities, including detailed write-ups, vulnerable code excerpts, and patch analysis. The PoCs are structured to demonstrate issues like SSRF, XSS, and cache poisoning in Next.js v16.2.4.

Classification

Working Poc 95%

Attack Type

Ssrf | Xss | Dos | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js application running on a target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1059.007 - JavaScript T1189 - Drive-by Compromise T1499 - Endpoint Denial of Service T1078 - Valid Accounts

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44582_GHSA-vfv6-92ff-j949

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44582, demonstrating a weak hash collision in Next.js <16.2.5 that allows RSC cache poisoning. The exploit includes a Python script to find hash collisions and a bash script to automate the process.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Next.js <16.2.5

No auth needed

Prerequisites: Next.js application running a vulnerable version (<16.2.5) · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949

Scores

CVSS v3 3.7

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-328

Status published

Products (5)

npm/next 13.4.6 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 13.4.6 - 15.5.16

vercel/next.js >= 13.4.6, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026