React
Monthly
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
Maxsite Cms versions up to 109.1. contains a vulnerability that allows attackers to code injection (CVSS 7.3).
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) allows unauthenticated remote attackers to trigger denial of service through malformed requests to Server Function endpoints, causing server crashes, memory exhaustion, or CPU spikes. Applications using these packages are at risk of availability disruption. No patch is currently available; immediate mitigation and monitoring are recommended.
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. [CVSS 4.3 MEDIUM]
The Linux kernel's Ceph authentication handler fails to properly propagate errors from mon_handle_auth_done(), allowing the msgr2 protocol to proceed with session establishment even when authentication fails in secure mode. This can trigger a NULL pointer dereference in prepare_auth_signature(), causing a denial of service on systems using Ceph for storage or communication. Local attackers with privileges to interact with Ceph authentication can crash the kernel or cause system instability.
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/router version prior to 1.23.2. [CVSS 8.0 HIGH]
React Router is a router for React. In @remix-run/react version prior to 2.17.3. [CVSS 8.2 HIGH]
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
React Router (@react-router/node 7.0.0-7.9.3) has a path traversal in file-based session storage when using unsigned cookies. Attackers can manipulate session file paths to read or write arbitrary files on the server.
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. [CVSS 7.6 HIGH]
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and Base64-encoded secrets are stored as plaintext in compiled native binaries, allowing attackers with network access to extract these credentials via static analysis of the binary. This affects all applications using the vulnerable library version, and the high CVSS score of 7.5 reflects the ease of exploitation (no authentication required) and significant confidentiality impact, though the practical risk depends on whether secrets are actually embedded at build time and the sensitivity of exposed data.
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
Maxsite Cms versions up to 109.1. contains a vulnerability that allows attackers to code injection (CVSS 7.3).
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) allows unauthenticated remote attackers to trigger denial of service through malformed requests to Server Function endpoints, causing server crashes, memory exhaustion, or CPU spikes. Applications using these packages are at risk of availability disruption. No patch is currently available; immediate mitigation and monitoring are recommended.
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. [CVSS 4.3 MEDIUM]
The Linux kernel's Ceph authentication handler fails to properly propagate errors from mon_handle_auth_done(), allowing the msgr2 protocol to proceed with session establishment even when authentication fails in secure mode. This can trigger a NULL pointer dereference in prepare_auth_signature(), causing a denial of service on systems using Ceph for storage or communication. Local attackers with privileges to interact with Ceph authentication can crash the kernel or cause system instability.
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/router version prior to 1.23.2. [CVSS 8.0 HIGH]
React Router is a router for React. In @remix-run/react version prior to 2.17.3. [CVSS 8.2 HIGH]
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
React Router (@react-router/node 7.0.0-7.9.3) has a path traversal in file-based session storage when using unsigned cookies. Attackers can manipulate session file paths to read or write arbitrary files on the server.
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. [CVSS 7.6 HIGH]
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and Base64-encoded secrets are stored as plaintext in compiled native binaries, allowing attackers with network access to extract these credentials via static analysis of the binary. This affects all applications using the vulnerable library version, and the high CVSS score of 7.5 reflects the ease of exploitation (no authentication required) and significant confidentiality impact, though the practical risk depends on whether secrets are actually embedded at build time and the sensitivity of exposed data.