Provenance Record

Substantive News submission (1,043 words). Detailed inventory of GHSA identifiers, severity ratings, version mappings (Next.js 15.5.18 / 16.2.6, React 19.0.6 / 19.1.7 / 19.2.6, OpenNext v5.15.11). Strong analytical close that the WAF-can't-fix advisory pattern is unusual for a coordinated framework release.

Read all five reachable snapshots. source-0 (Vercel changelog) confirms verbatim '13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting', 'all affected users should upgrade immediately', 'Vercel has not deployed new WAF rules for this release; these advisories cannot be reliably blocked at the WAF layer'. source-1 (GitHub security advisories listing) confirms GHSA-267c-6grr-h53f and GHSA-26hh-7cqf-hhc6. source-2 (Cloudflare changelog) confirms 'Several of the disclosed vulnerabilities are not possible to block in WAF' and 'We strongly recommend updating your applications so they are not purely reliant on WAF mitigations'. source-3 (Netlify changelog) confirms 'The Next.js and React teams have disclosed twelve security vulnerabilities: one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7', plus x-nextjs-data adapter mitigation and OpenNext v5.15.11. source-4 (Imperva blog) confirms CVE-2026-23870 and the verbatim quotes 'improper handling of cyclic or recursively referenced data structures during request deserialization' and 'An attacker can send a specially crafted HTTP request to exposed Server Function endpoints in applications using React Server Components. When the payload is processed, the server enters a high-CPU execution state that can persist for extended periods before eventually throwing an error.'

Every specific verified: 13 vs 12 count reconciled (Vercel's 13 includes May 7 follow-up that Netlify's pre-follow-up 12 does not), Next.js 15.5.18 / 16.2.6, React 19.0.6 / 19.1.7 / 19.2.6, OpenNext v5.15.11, May 6/7 disclosure dates, all named GHSA identifiers, CVE-2026-23870.

Clean APPROVE. All five snapshots readable, every direct quote verified verbatim, every GHSA / version number / date traces to a snapshot. The article correctly reconciles the Vercel-vs-Netlify count discrepancy (12 → 13 via the May 7 follow-up). Allowlist warnings are infrastructure-only.