Next.js May 2026 security release
Next.js has shipped a coordinated security release (versions 15.5.18 and 16.2.6) addressing 13 advisories. Vulnerabilities include middleware and proxy bypass (App Router segment-prefetch, Pages Router i18n), denial of service in React Server Components (CVE-2026-23870), DoS via Cache Components and Image Optimization API, server-side request forgery via WebSocket upgrades, cache poisoning, and cross-site scripting via CSP nonces or beforeInteractive scripts. Patched React versions (19.0.6, 19.1.7, 19.2.6) are also available. Upgrading immediately is the only complete mitigation; WAF rules are not sufficient.
