rallly

v4.10.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 20d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

i18next next-auth nextjs postgresql prisma react-email

+6 more

t3-stack tailwindcss trpc turborepo typescript zod

ReleasePort's take

Moderate signal

editorial:auto 9d

ReleasePort Layer 1 version v4.10.1 patches CVE‑2026‑23870, a DoS vulnerability in React Server Components, by upgrading Next.js to 16.2.6 and React/ReactDOM to 19.2.6.

Why it matters: CVE‑2026‑23870 (CVSS 8.1) is mitigated only after upgrading to Next.js 16.2.6 and React 19.2.6; deployments using those components must patch before the May 2026 advisory deadline.

Summary

AI summary

CVE-2026-23870 (React Server Components DoS) patched by upgrading Next.js to 16.2.6 and React/ReactDOM to 19.2.6.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Patches Next.js May 2026 security advisory and CVE-2026-23870 (React Server Components DoS). Patches Next.js May 2026 security advisory and CVE-2026-23870 (React Server Components DoS). Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Security	Medium	Upgrades Next.js to version 16.2.6. Upgrades Next.js to version 16.2.6. Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	Upgrades React and React DOM to version 19.2.6. Upgrades React and React DOM to version 19.2.6. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

🔒 Security Patch

This release patches the Next.js May 2026 security advisory and CVE-2026-23870 (React Server Components DoS).

[!IMPORTANT]
All self-hosted users should upgrade immediately.

What's changed

⬆️ Upgrade Next.js to 16.2.6
⬆️ Upgrade React and React DOM to 19.2.6

Affected surface in Rallly includes middleware, App Router segment-prefetch, Image Optimization, Server Functions, and CSP nonces.

Full Changelog: https://github.com/lukevella/rallly/compare/v4.10.0...v4.10.1

Security Fixes

CVE-2026-23870 — React Server Components DoS vulnerability patched by upgrading Next.js to 16.2.6 and React/ReactDOM to 19.2.6

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track rallly

Get notified when new releases ship.

About rallly

Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-23870 NVD KEV EPSS

Featured in

2026-W20