CVE-2026-23869

🗓️ 08 Apr 2026 19:11:08Reported by MetaType

cve🔗 web.nvd.nist.gov📰️ 2 Media mentions👁 40 Views

Denial of service in React Server Components via crafted HTTP requests, causing high CPU for up to a minute.

Reporter	Title	Published	Views	Family All 29
GithubExploit	Exploit for CVE-2026-23869	11 Apr 202605:00	–	githubexploit
GithubExploit	Exploit for CVE-2026-23869	11 Apr 202605:00	–	githubexploit
GithubExploit	Exploit for CVE-2026-23869	10 Apr 202606:34	–	githubexploit
Circl	CVE-2026-23869	9 Apr 202601:27	–	circl
CNNVD	React 安全漏洞	8 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-23869	8 Apr 202619:11	–	cvelist
EUVD	EUVD-2026-20584	10 Apr 202615:35	–	euvd
F5 Networks	K000160686: React framework vulnerability CVE-2026-23869	9 Apr 202609:43	–	f5
Github Security Blog	React Server Components have a Denial of Service Vulnerability	10 Apr 202615:35	–	github
Github Security Blog	Next.js has a Denial of Service with Server Components	10 Apr 202615:35	–	github

Vulners

Node

meta react-server-dom-turbopackRange19.0.0–19.0.4

meta react-server-dom-turbopackRange19.1.0–19.1.5

meta react-server-dom-turbopackRange19.2.0–19.2.4

meta react-server-dom-parcelRange19.0.0–19.0.4

meta react-server-dom-parcelRange19.1.0–19.1.5

meta react-server-dom-parcelRange19.2.0–19.2.4

meta react-server-dom-webpackRange19.0.0–19.0.4

meta react-server-dom-webpackRange19.1.0–19.1.5

meta react-server-dom-webpackRange19.2.0–19.2.4

[
  {
    "defaultStatus": "unaffected",
    "product": "react-server-dom-turbopack",
    "vendor": "Meta",
    "versions": [
      {
        "lessThanOrEqual": "19.0.4",
        "status": "affected",
        "version": "19.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "19.1.5",
        "status": "affected",
        "version": "19.1.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "19.2.4",
        "status": "affected",
        "version": "19.2.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "react-server-dom-parcel",
    "vendor": "Meta",
    "versions": [
      {
        "lessThanOrEqual": "19.0.4",
        "status": "affected",
        "version": "19.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "19.1.5",
        "status": "affected",
        "version": "19.1.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "19.2.4",
        "status": "affected",
        "version": "19.2.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "react-server-dom-webpack",
    "vendor": "Meta",
    "versions": [
      {
        "lessThanOrEqual": "19.0.4",
        "status": "affected",
        "version": "19.0.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "19.1.5",
        "status": "affected",
        "version": "19.1.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "19.2.4",
        "status": "affected",
        "version": "19.2.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg

08 Apr 2026 21:26Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.17.5

EPSS0.00841

SSVC