cbcvebase.
CVE-2026-23870
published 2026-05-06

CVE-2026-23870: A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5).

Affected

21 ranges
VendorProductVersion rangeFixed in
metareact-server-dom-parcel>= 19.0.0 < 19.0.619.0.6
metareact-server-dom-parcel19.0.0 – 19.0.5
metareact-server-dom-parcel>= 19.1.0 < 19.1.719.1.7
metareact-server-dom-parcel19.1.0 – 19.1.6
metareact-server-dom-parcel>= 19.2.0 < 19.2.619.2.6
metareact-server-dom-parcel19.2.0 – 19.2.5
metareact-server-dom-turbopack>= 19.0.0 < 19.0.619.0.6
metareact-server-dom-turbopack19.0.0 – 19.0.5
metareact-server-dom-turbopack>= 19.1.0 < 19.1.719.1.7
metareact-server-dom-turbopack19.1.0 – 19.1.6
metareact-server-dom-turbopack>= 19.2.0 < 19.2.619.2.6
metareact-server-dom-turbopack19.2.0 – 19.2.5
metareact-server-dom-webpack>= 19.0.0 < 19.0.619.0.6
metareact-server-dom-webpack19.0.0 – 19.0.5
metareact-server-dom-webpack>= 19.1.0 < 19.1.719.1.7
metareact-server-dom-webpack19.1.0 – 19.1.6
metareact-server-dom-webpack>= 19.2.0 < 19.2.619.2.6
metareact-server-dom-webpack19.2.0 – 19.2.5
nextnext>= 13.0.0 < 15.5.1615.5.16
nextnext>= 16.0.0 < 16.2.516.2.5
rhoaiodh-dashboard-rhel9

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH