CVE-2026-25917 Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

Denial Of Service (DoS)

react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack and next are vulnerable to a Denial-Of-Service DoS. The vulnerability is due to insufficient patching of unsafe payload deserialization in React Server Components, where maliciously crafted HTTP requests sent to Server...

CVE-2025-55184

CVE-2025-55184 is a pre-authentication Denial of Service vulnerability in React Server Components from versions 19.0.0 through 19.2.2 (affecting react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack). The issue arises from unsafe deserialization of HTTP payloads sent t...

Unauthenticated RCE in React Server Components (React2Shell)

A critical unauthenticated Remote Code Execution RCE vulnerability exists in React Server Components RSC Flight protocol. The vulnerability allows attackers to achieve prototype pollution during deserialization of RSC payloads by sending specially crafted multipart requests with "proto",...

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

A maximum-severity security flaw has been disclosed in React Server Components RSC that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. The vulnerability has been codenamed React2shell. It allows...

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes...

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes...

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes...

PT-2025-48817

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.0 Description A pre-authentication remote code execution issue exists in React Server Components, specifically affecting the react-server-dom-parcel, react-server-dom-turbopack, and...

PT-2024-14920 · Red Hat +3 · Red Hat Fuse 7 +9

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: A flaw was found in the JSON payload. If annotation-based security is used to secure a REST resource, the JSON body that the resource may consume is bei...

Liferay Portal Allows RCE via Deserialization of a JSON Payload

Liferay Portal CE 7.1.0 and earlier allows remote command execution because of deserialization of a JSON payload...