On May 6, 2026, Vercel published a coordinated security release addressing 12 GitHub Security Advisories against Next.js alongside CVE-2026-23870, a denial-of-service flaw in React Server Components. The disclosed vulnerability classes span middleware authentication bypass, cross-site scripting, server-side request forgery, cache poisoning, and multiple denial-of-service vectors. Fixed versions are Next.js 15.5.18 and 16.2.6. The breadth of vulnerability classes in a single coordinated drop — especially middleware bypass and cache poisoning, which can affect all traffic through a Next.js deployment — makes this release unusually high-impact. Teams running any prior 15.x or 16.x release should treat this upgrade as urgent. Projects self-hosting Next.js with custom middleware or SSR caching are most directly exposed; Vercel-hosted projects receive runtime mitigations faster but still require a code-level upgrade to close all CVEs.