Web framework upgraded to close RSC denial-of-service vulnerability
The bundled web framework is upgraded to close CVE-2026-23869, a denial-of-service vulnerability in Server Components endpoints where a crafted POST request consumed roughly 60 seconds of CPU per call. The upgrade also rolls up eleven concurrent framework advisories — including additional RSC DoS variants, a middleware-routing bypass, a WebSocket SSRF, an HTTP request-smuggling issue in rewrites, a CSP-nonce XSS, and several cache-poisoning fixes.
Four additional advisories in build-time tooling — a CSS post-processor, two glob libraries, and a lint-cache serializer — are pinned to patched versions. These dependencies never run in the production image and never see network input, but the pins satisfy customer dependency-scanners and prevent a future install from silently re-resolving to a vulnerable transitive.
Self-hosted operators must rebuild and recreate the web container to pick up the runtime fix.