A coordinated disclosure on May 6-7, 2026 addressed 13 vulnerabilities spanning Next.js and React Server Components. CVE-2026-23870 is a denial-of-service flaw in the react-server-dom-* packages affecting React 19.0.0–19.2.5, patched in 19.0.6, 19.1.7, and 19.2.6. The 12 Next.js GHSAs cover a wide attack surface: middleware and proxy bypasses in App Router and Turbopack builds (GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6), XSS vectors via CSP nonces and beforeInteractive scripts (GHSA-ffhc-5mcf-pf4q, GHSA-gx5p-jg67-6x7h), SSRF in WebSocket upgrades (GHSA-c4j6-fc7j-m34r), RSC response cache poisoning and collision (GHSA-wfc6-r584-vfw7, GHSA-vfv6-92ff-j949), dynamic route parameter injection (GHSA-492v-c6pp-mqqv), connection-exhaustion DoS (GHSA-mg66-mrh9-m8jx), Image Optimization API DoS (GHSA-h64f-5h5j-jqjh), Pages Router i18n bypass (GHSA-36qx-fr4f-26g5), and a Server Components DoS (GHSA-8h8q-6873-q5fj). The breadth of the release makes it the most significant Next.js security event in recent memory: middleware bypass classes alone could allow unauthenticated access to protected routes in any App Router deployment on 15.2.0 or later. Teams running self-hosted Next.js or deploying to Netlify, Cloudflare, or other platforms must upgrade to Next.js 15.5.18 (for the 15.x line) or 16.2.6 (for the 16.x line) and pin react-server-dom-webpack / react-server-dom-turbopack to the matching patched minor. Vercel-hosted deployments received mitigations at the platform layer, but package upgrades remain the only complete fix across all environments.