CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting...

10CVSS8.4AI score0.84489EPSS

Exploits362References8

EUVD•added 4 days ago•9 views

EUVD-2026-33988

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets...

8CVSS5.8AI score0.00032EPSS

Exploits0References2

RedhatCVE•added 4 days ago•8 views

CVE-2026-44582

A flaw was found in Next.js. React Server Component responses are vulnerable to cache poisoning in deployments that use shared caches without proper response partitioning. An attacker can exploit collisions in the rsc cache-busting value to poison cache entries. This allows users to receive...

3.7CVSS5.6AI score0.00009EPSS

Exploits1References4

Positive Technologies•added 4 days ago•9 views

PT-2026-46087

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources !NOTE This only impacts your application if you are using the unstable RSC APIs in React Router...

8CVSS5.8AI score0.00032EPSS

Exploits0References4

Tenable Nessus•added 4 days ago•7 views

Linux Distros Unpatched Vulnerability : CVE-2026-44582

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be...

3.7CVSS5.8AI score0.00009EPSS

Exploits1References2

Snyk•added 5 days ago•4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the redirect handling of unstable React Server Components RSC APIs. An attacker can execute arbitrary JavaScript code in the user's browser by supplying a crafted javascript: redirect target from an untrusted...

8CVSS5.6AI score0.00032EPSS

Exploits0References2

Vulnrichment•added 5 days ago•4 views

CVE-2026-34077 React Router vulnerable to Denial of Service via reflected user input in single-fetch

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components RSC APIs, there is a potential client-side Cross-Site Scripting XSS vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not...

7.5CVSS5.8AI score0.00042EPSS

Exploits0References1

CVE•added 5 days ago•23 views

CVE-2026-34077

React Router upstream vulnerability CVE-2026-34077 affects versions 7.7.0–7.13.1 where, when using unstable React Server Components APIs, the RSC redirect handling can lead to a client-side XSS if redirects come from untrusted sources. The issue does not impact non-RSC applications. A fix is avai...

7.5CVSS5.8AI score0.00042EPSS

Exploits0References1Affected Software2

Positive Technologies•added 5 days ago•8 views

PT-2026-45826

Name of the Vulnerable Software and Affected Versions React Router versions 7.7.0 through 7.13.1 Description A client-side Cross-Site Scripting XSS issue exists in the redirect handling of the unstable React Server Components RSC APIs. This occurs when redirects originate from untrusted sources...

8CVSS5.4AI score0.00032EPSS

Exploits0References4

GithubExploit•added 2026/05/30 12:26 a.m.•60 views

Exploit for CVE-2025-66478

CVE-2025-66478-Research-Proof-of-Concept Overview This re...

7.5AI score

Exploits111

RedhatCVE•added 2026/05/29 12:30 p.m.•9 views

CVE-2026-23870

A flaw was found in the React Server DOM components, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. A remote attacker could exploit this denial of service DoS vulnerability by sending specially crafted HTTP requests to server function endpoints. This...

7.5CVSS5.7AI score0.00338EPSS

Exploits1References4

RedhatCVE•added 2026/05/28 11:12 a.m.•7 views

CVE-2026-44576

A flaw was found in Next.js, a React framework for building web applications. This vulnerability, related to cache poisoning, affects applications utilizing React Server Components RSC when shared caches fail to properly partition response variants. A remote attacker can exploit this by causing a...

5.4CVSS5.8AI score0.00016EPSS

Exploits0References4

GithubExploit•added 2026/05/26 6:59 p.m.•64 views

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 Lab — React Server Components RCE !Dockerh...

10CVSS5.9AI score0.84489EPSS

Exploits362

GithubExploit•added 2026/05/25 10:6 p.m.•70 views

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 — React Server Components Pre-Auth RCE "React2...

10CVSS7.5AI score0.84489EPSS

Exploits376