4945 matches found
Malicious code in airkey-mfa-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector addd30fd6d90110d178ea017b2968c6014dab0e8304bdfeb55b13612a75f61da Package auto-executes a preinstall script node test.js on npm install that collects username, hostname, platform, Node version, and CI flag and POSTs...
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
Summary Multiple vulnerabilities were addressed in IBM API Connect version v10.0.8.10 Vulnerability Details CVEID:CVE-2026-33244 DESCRIPTION: React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the...
Malicious code in react-next-dom (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e7369fd2dd1ba9002d2c693ba08c553c7c6fef54dba372146c11f20b43607aa react-next-dom masquerades as a React/Next.js ecosystem package but ships a pino-like surface concealing a remote code loader. The main export is a...
MAL-2026-6825 Malicious code in react-next-dom (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e7369fd2dd1ba9002d2c693ba08c553c7c6fef54dba372146c11f20b43607aa react-next-dom masquerades as a React/Next.js ecosystem package but ships a pino-like surface concealing a remote code loader. The main export is a...
CVE-2026-14802
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...
CVE-2026-14802 react create-react-app react-dev-utils openBrowser.js startBrowserProcess os command injection
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...
EUVD-2026-41815
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...
CVE-2026-14802
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The...
CVE-2026-14802
CVE-2026-14802 affects react-create-app releases up to 5.0.1 on macOS, targeting the startBrowserProcess function in openBrowser.js within react-dev-utils. The root cause is an input manipulation that enables OS command injection, with remote exploitation described as possible and the exploit pub...
MAL-2026-10230 Malicious code in enbd-react-lib (npm)
The enbd-react-lib package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization an 'enbd' interna...
Malicious code in tme-xca-react (npm)
The tme-xca-react package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'tme' internal...
EUVD-2026-41437
react-native-receive-sharing-intent contains a path traversal vulnerability that allows a co-resident malicious application to write files outside the intended cache directory by supplying a crafted displayname value containing dot-dot path components through a malicious ContentProvider. Attacker...
CVE-2026-58460 react-native-receive-sharing-intent Path Traversal via _display_name
react-native-receive-sharing-intent contains a path traversal vulnerability that allows a co-resident malicious application to write files outside the intended cache directory by supplying a crafted displayname value containing dot-dot path components through a malicious ContentProvider. Attacker...
react-server-dom-webpack: react-server-dom-parcel: reactreact-server-dom-turbopack: React Server Components: Denial of Service via specially crafted HTTP requests
A flaw was found in React Server Components. A remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. This can lead to a Denial of Service DoS, causing server crashes, out-of-memory exceptions, or excessive CPU usage, thereby...
Malicious code in react-editable-calendar (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ef4c5725bd98fb80c8dc59c58f68627b6a69aa4c4ae16d3f0c70c011895144cb package.json declares a preinstall hook node src/utils/index.d.js, but the published tarball's files whitelist ships only dist/, README.md, and LICEN...
MAL-2026-6547 Malicious code in react-editable-calendar (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ef4c5725bd98fb80c8dc59c58f68627b6a69aa4c4ae16d3f0c70c011895144cb package.json declares a preinstall hook node src/utils/index.d.js, but the published tarball's files whitelist ships only dist/, README.md, and LICEN...
Malicious code in react-dynammic-table-component (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d47aff9bb18dcd61350fa86e19d97ddee5ee7c5bdf7f0adea4a685e89d58fa4f [email protected] declares a preinstall lifecycle script node dist/setup.js that runs automatically on npm install. The script...
CVE-2026-42342
A flaw was found in React Router and @remix-run/server-runtime. A remote attacker can exploit this vulnerability by sending certain crafted requests to the manifest endpoint. This can lead to unbounded path expansion, consuming disproportionate server resources. The primary consequence is a denia...
SUSE CVE-2026-53663
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight,...
MAL-2026-6410 Malicious code in @su-doughnym/react-dlb (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2269beae8c30caccda966ca3aba35c3eddb4795fba0161045f14758ff150f58b Package self-identifies as a dependency-confusion bug-bounty proof-of-concept and is published at version 99.99.99 to win resolution priority over an...