- **React Foundation launched (Feb 24, 2026):** React, React Native, and JSX ownership transferred from Meta to the React Foundation, an independent body hosted by the Linux Foundation with eight Platinum founding members (Amazon, Callstack, Expo, Huawei, Meta, Microsoft, Software Mansion, Vercel). Seth Webster serves as executive director.
- **Critical DoS patch (Jan 26, 2026):** CVE-2026-23864 addressed multiple denial-of-service vectors in Server Components / Server Actions across all 19.x lines, releasing 19.0.4, 19.1.5, and 19.2.4. This follows the severe React2Shell RCE (CVE-2025-55182, CVSS 10.0) from December 2025.
- **React 19.2.4 is current stable.** No new minor or major version announced in this window; patch releases focused exclusively on security hardening.
- **React Compiler 1.0 is stable** (shipped Oct 2025) and seeing production adoption; developer excitement highest for the compiler (62% in State of React 2025 survey).
- **Community sentiment is cautiously positive.** React 19 adoption at 48% of daily users; RSC adoption at 45% of new projects but cited as a pain point by some; overall developer happiness averaged 3.6/5 with a slight downward trend.
---
19.2.4
Current Version
6
Release Lines
5
CVEs This Window
5
Active Trends
Release Timeline
VersionCategory
Date
Notes
19.2.4Current active / stable
2026-01-26
DoS mitigations for Server Actions; hardens Server Components
19.1.5Current maintenance
2026-01-26
Same DoS mitigations backported
19.0.4Current maintenance
2026-01-26
Same DoS mitigations backported
18.xLatest deprecated
2024-12 (superseded)
Security-only; no active development
N/APlanned / announced
—
No new minor or major version announced in window
Latest Release Notes
19.2.4, 19.1.5, 19.0.4 (Jan 26, 2026): Additional DoS mitigations for Server Actions and hardened Server Components against crafted HTTP payloads (CVE-2026-23864).
These patches complete the remediation cycle that began with the React2Shell RCE fix in Dec 2025 (CVE-2025-55182) and subsequent incomplete patches in 19.0.2, 19.1.3, 19.2.2.
No new features, APIs, or breaking changes in this window; all releases are security-only patches.
Security Advisories
CVE / AdvisorySeverity
Summary
Affected: Affected versionsFixed: Fixed in
CVE-2026-23864High
Multiple DoS vectors in Server Components / Server Actions via crafted HTTP requests causing crashes, OOM, or excessive CPU
The React Foundation establishment (Feb 2026) is the most significant structural change to React's governance since its open-source release. A provisional leadership council will determine long-term technical governance; repository and infrastructure transfers are ongoing.
RSC security surface under scrutiny:
Three critical-to-high CVEs in late 2025 and one more in Jan 2026 have established Server Components as a new attack surface requiring active security monitoring. The React2Shell incident (CVE-2025-55182) saw active exploitation and broad industry response.
React Compiler adoption accelerating:
Compiler 1.0 (Oct 2025) is the feature developers are most excited about (62%, State of React 2025). It eliminates manual memoization (useMemo/useCallback/React.memo) which remains a top pain point.
RSC adoption growing but polarizing:
45% of new projects use Server Components; 29% of developers have hands-on experience. Ecosystem complexity and the mental model shift (especially around hydration, data fetching boundaries, and framework coupling) remain friction points.
React 19 uptake strong:
48.4% of daily React users on React 19 per State of React 2025; SPA usage at 84%, SSR at 61%, SSG at 44%.