Skip to main content

React CVE-2018-6341

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-12-31 cve-assign@fb.com
6.1
CVSS 3.1 · Vendor: fb
Share

Severity by source

Vendor (fb) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (fb) · only source for this CVE.

CVSS VectorVendor: fb

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 31, 2018 - 22:29 cve.org
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 148 npm packages depend on react-dom (135 direct, 16 indirect)

Ecosystem-wide dependent count for version 16.0.0.

DescriptionCVE.org

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

AnalysisAI

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. Affected products include: Facebook React.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in React

View all
CVE-2025-55182 CRITICAL POC
10.0 Dec 03

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202

CVE-2025-45001 HIGH POC
7.5 Jun 09

react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and

CVE-2026-22028 MEDIUM POC
6.1 Jan 08

HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip

CVE-2026-27612 MEDIUM POC
6.1 Feb 25

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc

CVE-2026-23864 HIGH
7.5 Jan 26

Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react

CVE-2026-1461 MEDIUM
6.5 Feb 19

Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).

CVE-2025-68470 MEDIUM
6.5 Jan 10

React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

CVE-2026-30847 MEDIUM
6.5 Mar 06

Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]

CVE-2026-22030 MEDIUM
6.5 Jan 10

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]

CVE-2026-29613 MEDIUM
5.9 Mar 05

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).

CVE-2025-14969 MEDIUM
4.3 Jan 26

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client

CVE-2026-28194 MEDIUM
4.3 Feb 25

Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

Share

CVE-2018-6341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy