Summary We have shipped a coordinated security release for Next.js addressing 13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting. One advisory addresses an upstream React Server Components vulnerability tracked as . CVE-2026-23870 Patched versions are available for both React and Next.js, and all should upgrade immediately.affected users The release addresses the following advisories: Affects applications that rely on or for authorization.middleware.jsproxy.js Affects applications using Server Functions, Partial Prerendering with Cache Components, or the Image Optimization API.

Affects applications that handle WebSocket upgrade requests. Affects applications with caching layers in front of React Server Component responses. Affects applications using CSP nonces in App Router, or scripts that consume untrusted input.beforeInteractive These vulnerabilities are addressed by the patched releases of React and Next.js. Patching is the only complete mitigation, and all should upgrade immediately. affected users Vercel has not deployed new WAF rules for this release; these advisories cannot be…