React
CVE-2026-28194
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow
AnalysisAI
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Technical ContextAI
This vulnerability (CWE-601: URL Redirection to Untrusted Site (Open Redirect)) affects Teamcity. In JetBrains TeamCity before 2025.11.3 open redirect was possible in the React project creation flow
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client
Share
External POC / Exploit Code
Leaving vuln.today