- **Next.js 16.2** shipped 2026-03-18 with ~400% faster dev startup via Turbopack improvements, Server Fast Refresh, and new AI-agent tooling (AGENTS.md, Agent DevTools).
- **CVE-2026-23864** (CVSS 7.5, DoS via RSC memory exhaustion) disclosed in January 2026; patched in Next.js 16.1.5, 16.0.11, and back-ported to 15.x lines.
- **CVE-2025-55182 / CVE-2025-66478** (CVSS 10.0, RCE via React Server Components) continues to be actively exploited in the wild as of April 2026; fixed in Next.js 16.0.7+ and React 19.0.3+.
- Next.js 15.x entered **Maintenance LTS** (critical/security fixes only) through October 2026.
- Community sentiment is mixed: Turbopack speed gains and caching overhaul praised, but middleware limitations and server/client boundary complexity remain recurring friction points.
---
16.2.x (latest 16.2.1)
Current Version
5
Release Lines
3
CVEs This Window
5
Active Trends
Release Timeline
VersionCategory
Date
Notes
16.2.x (latest 16.2.1)Current active / stable
2026-03-18
Turbopack default for dev+build, AI tooling
15.x (LTS)Current maintenance
2024-10-21 (initial)
Critical/security only; EOL Oct 2026
14.xLatest deprecated
—
No longer receiving patches
16.3 canary trackPlanned / announced
ongoing
Canary releases on GitHub
Latest Release Notes
~400% faster `next dev` startup and ~50% faster rendering compared to 16.1, driven by 200+ Turbopack fixes.
Server Fast Refresh enables fine-grained server-side hot reloading without full page reload.
Subresource Integrity (SRI) support for JavaScript files in Turbopack builds.
AI-agent features: `create-next-app` includes AGENTS.md by default; experimental Agent DevTools give AI agents terminal access to React DevTools and Next.js diagnostics; browser log forwarding for agent-powered debugging.
Redesigned built-in 500 page; Hydration Diff Indicator in error overlay; `--inspect` support for `next start`.
Security Advisories
CVE / AdvisorySeverity
Summary
Affected: Affected versionsFixed: Fixed in
CVE-2026-23864High (CVSS 7.5)
DoS via memory exhaustion in React Server Function invocations; unauthenticated, no user interaction required
RCE via crafted HTTP request to RSC endpoint; actively exploited in the wild (766+ hosts breached per The Hacker News, April 2026). Pages Router and Edge Runtime not affected.
Next.js 16.2 positions the framework as an AI-agent host: AGENTS.md scaffolding, browser log forwarding, and experimental Agent DevTools signal Vercel is designing for LLM-driven development workflows.
Turbopack is now the default bundler
for both `next dev` and `next build` since 16.0. Filesystem caching (experimental in 16.0-16.1) continues to mature. Webpack remains available but is no longer the default path.
Caching model reset.
Since 16.0, all dynamic code runs at request time by default; explicit opt-in via `"use cache"` directive replaces the previous aggressive caching defaults. Community reception is broadly positive — the old caching behavior was a top complaint.
Middleware limitations persist.
AsyncLocalStorage incompatibility between middleware and application code blocks distributed tracing and advanced auth patterns. A Hacker News thread ("Next.js is infuriating") gained traction in early 2026; `proxy.ts` (introduced in 16.0) partially addresses the network boundary but does not resolve context-sharing issues.
Emerging framework competition.
TanStack Start and other alternatives are gaining mindshare among developers frustrated with server/client boundary complexity, though Next.js retains dominant adoption (5M+ weekly npm downloads).