Vercel released a backported Next.js 16.2 update that hardens two CVEs alongside stability fixes. CVE-2026-27979 tightens enforcement of maxPostponedStateSize, preventing attackers from pushing oversized postponed state through the App Router. CVE-2026-29057 patches an http-proxy dependency abused via middleware request paths. The same update fixes streaming fetch hangs, applies server actions transform inside node_modules, adds an image LRU disk cache, and blocks privacy-sensitive dev websockets. Teams should upgrade any Next.js 16.x deployment immediately — the vulnerabilities affect default configurations. The http-proxy fix is transitive, so pure npm update on downstream apps will not pick it up without a Next.js bump. Review CSP and dev tooling exposure before promoting through staging.