Context: CVE-2025-55182 (CVSS 10.0, RCE via React Server Components) has been actively exploited since December 2025, with 766+ hosts breached as of April 2026. CVE-2026-23864 (CVSS 7.5, DoS) was disclosed January 2026. Both affect any Next.js App Router application using React Server Components — which includes all JSS 22.x Next.js deployments. Sitecore has not published a JSS-specific advisory pointing consumers to safe minimum versions.
Steps:
1. Navigate to `https://github.com/Sitecore/jss/security/advisories/new`
2. Create advisory titled "React Server Components vulnerabilities affect JSS Next.js deployments"
3. Reference CVE-2025-55182 and CVE-2026-23864 with CVSS scores and links to upstream advisories
4. Specify affected versions: all JSS 22.x Next.js applications using React <19.2.4 or Next.js <16.1.5
5. Recommend minimum safe versions: React >=19.2.4, Next.js >=16.1.5
6. Link to the official Sitecore migration guide for Content SDK as the long-term fix
7. Pin the advisory link in the repository README
Acceptance criteria:
GitHub Security Advisory published and visible on the repo's security tab
Advisory references both CVEs with correct CVSS scores
Minimum safe dependency versions clearly stated
README links to the advisory
Risks: None identified. Publishing the advisory is a net positive for consumer trust.