Is next affected by CVE-2026-44582?

npm next is affected in >=13.4.6 =16.0.0 <16.2.5.

Is CVE-2026-44582 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

low

CVE-2026-44582

Q: Is CVE-2026-44582 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

npm · next

Summary

Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Severity: low
EPSS: 0.2% (p10)
Also known as: GHSA-vfv6-92ff-j949
Published: 2026-05-11

References

https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949
https://nvd.nist.gov/vuln/detail/CVE-2026-44582
https://github.com/vercel/next.js

Related advisories

CVE-2026-45109 — high · npm/next
CVE-2026-44579 — high · npm/next
CVE-2026-44578 — high · npm/next
CVE-2026-44575 — high · npm/next
CVE-2026-44574 — high · npm/next
CVE-2026-44573 — high · npm/next
GHSA-8h8q-6873-q5fj — high · npm/next
GHSA-q4gf-8mx6-v5v3 — high · npm/next

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.