React
CVE-2026-29613
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.
AnalysisAI
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
Technical ContextAI
This vulnerability (CWE-306: Missing Authentication for Critical Function) affects Openclaw. OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-xc7w-v5x6-cc87