CVE-2026-44579 Next.js: Denial of Service via connection exhaustion in applications using Cache Components

Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected...

CVE-2026-44579

Next.js vulnerability CVE-2026-44579 affects Next.js releases prior to 15.5.16 and 16.2.5 where Partial Prerendering via Cache Components can cause a connection-exhaustion DoS through crafted POST requests to a server action. A malicious request may trigger a request-body handling deadlock, leavi...

CVE-2026-44576

CVE-2026-44576 affects Next.js (React Server Components). In affected versions 14.2.0 to before 15.5.16 and 16.2.5, shared caches that do not properly partition response variants can poison the cache by serving an RSC response from the original URL, causing subsequent visitors to receive componen...

CVE-2026-44576 Next.js: Cache poisoning in React Server Component responses

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker...

CVE-2026-44576 Next.js: Cache poisoning in React Server Component responses

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker...

CVE-2026-44576

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker...

CVE-2026-44572

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...

CVE-2026-44457

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

CVE-2026-39458

When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel TMM to terminate. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

SUSE CVE-2017-12425

An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the...

CVE-2026-44572 Next.js: Middleware / Proxy redirects can be cache-poisoned

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...

CVE-2026-44572

Summary of CVE-2026-44572 (Next.js): Affects Next.js versions 12.2.0 to just before 15.5.16 and 16.2.5. An external client could send the x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. The middleware could treat this as a data request and replace...

CVE-2026-44572

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...

CVE-2026-44572 Next.js: Middleware / Proxy redirects can be cache-poisoned

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat t...

NPM: claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh

NPM: claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh vulnerability discovered by ? in WordPress Npm claude-code-cache-fix versions = 3.5.0, 3.5.2...

Arbitrary Code Injection

Overview claude-code-cache-fix is a Cache optimization proxy and interceptor for Claude Code. Fixes prompt cache bugs, stabilizes prefix, reduces quota burn. Affected versions of this package are vulnerable to Arbitrary Code Injection via the tools/quota-statusline.sh process. An attacker can...

CVE-2026-44457 Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

CVE-2026-44457

CVE-2026-44457 affects Hono's Cache Middleware prior to v4.12.18, which does not skip caching for responses with Vary: Authorization or Vary: Cookie. This can allow a response cached for one authenticated user to be served to other users, leaking per-user data. The issue is fixed in v4.12.18. Rem...

CVE-2026-44457 Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

CVE-2026-44457

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...