What is CVE-2026-27978?

CVE-2026-27978 is a vulnerability in Vercel Next.js, classified under Cross-Site Request Forgery (CSRF). Published 2026-03-17.

Is CVE-2026-27978 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

CSRF in Vercel Next.js

CVE-2026-27978

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests fro…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (1.0th percentile) — read the EPSS interpretation.

Affected products

Vercel Next.js — versions >= 16.0.1, < 16.1.7

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

Public proof-of-concept exploits

Nayekah/Next.js-Proof-of-Concept

References

https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx (x_refsource_CONFIRM)
https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8 (x_refsource_MISC)
https://github.com/vercel/next.js/releases/tag/v16.1.7 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-27978?: CVE-2026-27978 is a vulnerability in Vercel Next.js, classified under Cross-Site Request Forgery (CSRF). Published 2026-03-17.
Is CVE-2026-27978 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.