Vulnerability in Meta React-server-dom-parcel

CVE-2026-23864

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending spe…

EPSS: 0.020 (83.9th percentile) — read the EPSS interpretation.

Affected products

Meta React-server-dom-parcel — versions 19.0.0, 19.1.0, 19.2.0
Meta React-server-dom-turbopack — versions 19.0.0, 19.1.0, 19.2.0
Meta React-server-dom-webpack — versions 19.0.0, 19.1.0, 19.2.0

References

www.facebook.com/security/advisories/cve-2026-23864 (x_refsource_CONFIRM)