Home / Vulnerability Intelligence / CVE-2026-23869

CVE-2026-23869 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: April 8, 2026

React Server Components - Denial of Service

Published: April 8, 2026Updated: April 8, 2026PoC AvailableRemote Exploitable

Overview

React Server Components react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack (19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) contain a denial of service caused by specially crafted HTTP requests to Server Function endpoints, letting attackers cause excessive CPU usage and service disruption, exploit requires sending crafted HTTP requests.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 32.2%(Probability of exploitation in next 30 days)

Impact

Attackers can cause excessive CPU usage leading to service disruption or denial of service.

Mitigation

Update to the latest version beyond 19.2.4.

References

https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 9, 2026

🟠 CVE-2026-23869 - High (7.5) A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23869/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(2 repos)

Related Resources

Details

CVE ID: CVE-2026-23869
Severity: High
CVSS Score: 7.5
Type: denial_of_service
Status: unconfirmed
EPSS: 32.2%
Social Posts: 1

CWE

CWE-400

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

32.2%Probability of exploitation in the next 30 days