CVE-2026-27978
published 2026-03-18CVE-2026-27978: Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a…
PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.20%
10.0th percentile
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| next | next | >= 16.0.1 < 16.1.7 | 16.1.7 |
| vercel | next.js | — | — |
| vercel | next.js | >= 16.0.1 < 16.1.7 | 16.1.7 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Next.js: null origin can bypass Server Actions CSRF checks
osv·2026-03-17
CVE-2026-27978 [MEDIUM] Next.js: null origin can bypass Server Actions CSRF checks
Next.js: null origin can bypass Server Actions CSRF checks
## Summary
`origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.
## Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
## Patches
Fixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`.
## Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `
GHSA
Next.js: null origin can bypass Server Actions CSRF checks
ghsa·2026-03-17
CVE-2026-27978 [MEDIUM] CWE-352 Next.js: null origin can bypass Server Actions CSRF checks
Next.js: null origin can bypass Server Actions CSRF checks
## Summary
`origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.
## Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
## Patches
Fixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`.
## Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `
Red Hat
next.js: Next.js: null origin can bypass Server Actions CSRF checks
vendor_redhat·2026-03-17·CVSS 5.3
CVE-2026-27978 [MEDIUM] CWE-346 next.js: Next.js: null origin can bypass Server Actions CSRF checks
next.js: Next.js: null origin can bypass Server Actions CSRF checks
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.all
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-29057 [MEDIUM] CVE-2026-29057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29057 :
ASP.NET Core vulnerability analysis and mitigation
DELETE
OPTIONS
Transfer-Encoding: chunked
content-length: 0
content-length
transfer-encoding
transfer-encoding
DELETE
OPTIONS
Source : NVD
## 6.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dotnet-targeting-pack-7.0
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
Wiz
GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j59-xgg2-r9c4 :
Next.js vulnerability analysis and mitigation
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779 .
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustaine
Wiz
GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-55183 [MEDIUM] GHSA-w37m-7fhw-fmv9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w37m-7fhw-fmv9 :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions . This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2025-59472 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59472 [MEDIUM] CVE-2025-59472 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59472 :
ASP.NET Core vulnerability analysis and mitigation
Next-Resume: 1
Buffer.concat()
inflateSync()
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
experimental.ppr: true
cacheComponents: true
Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dotnet7.0
dotnet-sdk-7.0
Sources
NVD
Chainguard Has Fix Added at: F
Wiz
CVE-2026-27978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27978 [MEDIUM] CVE-2026-27978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27978 :
ASP.NET Core vulnerability analysis and mitigation
origin: null
'null'
'null'
experimental.serverActions.allowedOrigins
SameSite=Strict
'null'
serverActions.allowedOrigins
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-templates-7.0
netstandard-targeting-pack-2.1
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-mwv6-3258-q52c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mwv6-3258-q52c :
Next.js vulnerability analysis and mitigation
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184 .
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-27977 [LOW] CVE-2026-27977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27977 :
ASP.NET Core vulnerability analysis and mitigation
next dev
Origin: null
allowedDevOrigins
allowedDevOrigins
Origin: null
next dev
/_next/webpack-hmr
Origin
null
Source : NVD
## 2.3
Score
Published March 18, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-targeting-pack-7.0
dotnet-templates-7.0
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-27979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27979 [MEDIUM] CVE-2026-27979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27979 :
ASP.NET Core vulnerability analysis and mitigation
next-resume: 1
maxPostponedStateSize
experimental.ppr
cacheComponents
next-resume
next-resume
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
ASP.NET Core
.NET Core SDK
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-59471 [MEDIUM] CVE-2025-59471 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59471 :
ASP.NET Core vulnerability analysis and mitigation
remotePatterns
/_next/image
remotePatterns
Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotnet-sdk-7.0
dotnet-sdk-7.0-source-built-artifacts
Sources
NVD
Chainguard Has Fix Added at: Feb 10, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Red Hat 7, 8, 9, 10 Severity MEDIUM No Fix Added
Wiz
CVE-2026-27980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27980 [MEDIUM] CVE-2026-27980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27980 :
ASP.NET Core vulnerability analysis and mitigation
/_next/image
images.maximumDiskCacheSize
maximumDiskCacheSize: 0
.next/cache/images
images.localPatterns
images.remotePatterns
images.qualities
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
ASP.NET Core
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langfuse-3
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
Red Hat 9 Severity MEDIUM No Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
2026-03-18
Published