The coordinated Next.js security release has been updated to encompass 13 total advisories — 6 high-severity, 3 moderate, and 2 low — plus CVE-2026-23870, a React Server Components upstream denial-of-service flaw. Affected versions span Next.js 13.x and 14.x (all versions), 15.x up through 15.5.17, and 16.x up through 16.2.6. Patched releases are Next.js 15.5.18 and 16.2.6; React packages 19.0.6, 19.1.7, and 19.2.6 address the upstream RSC component. Vercel states patching is the only complete mitigation. The addition of CVE-2026-23870 elevates the scope beyond the original 12-advisory disclosure by confirming an upstream React vulnerability in the same coordinated window. Teams running any Next.js 13 or 14 installation remain fully exposed with no patch path available for those branches, while 15.x and 16.x users must upgrade to the new patch releases. The breadth of issue classes — DoS, middleware bypass, SSRF, cache poisoning, and XSS — means the attack surface is wide enough that prioritizing these upgrades ahead of normal maintenance cycles is warranted.