The Next.js doc that is misleading is:
Specifically this part:
In my case, I needed to upgrade to 15.5.9 since I was already on 15.5.7. Likewise, 15.2.6 is not a safe patched release anymore. This appears to be the old list of patched versions from the original CVE report.