MAL-2025-4540 Malicious code in @fms-common-biz/basic-react (npm)

The package communicates with a domain associated with malicious activity...

Malicious code in @fms-common-biz/basic-react (npm)

The package communicates with a domain associated with malicious activity...

CVE-2024-47824

matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that roo...

CVE-2024-21668

react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database into the Android system log. The key can be obtained by anyone with access to the Android Debugging...

CVE-2024-51749

Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in...

CVE-2024-25466

Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component...

CVE-2023-51843

react-dashboard 1.4.0 is vulnerable to Cross Site Scripting XSS as httpOnly is not set...

CVE-2023-46134

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in...

CVE-2023-41167

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the...

CVE-2023-5654

The React Developer Tools extension registers a message listener with window.addEventListener'message', in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch. The URL is not...

CVE-2023-30609

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message...

MAL-2025-4393 Malicious code in react-stitches (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c6aadb4042b3d0276837870bb016b686e41ca410df61fda4ecf6d6886a1a296a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in react-stitches (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c6aadb4042b3d0276837870bb016b686e41ca410df61fda4ecf6d6886a1a296a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2023-23556

An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted...

CVE-2023-0365

The React Webcam WordPress plugin through 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Malicious code in react-loggers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 76a70b9997debf659f2b9059c7ceeb8f0709870b31e28b9f947c2c0f0acd4d0b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4392 Malicious code in react-loggers (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 76a70b9997debf659f2b9059c7ceeb8f0709870b31e28b9f947c2c0f0acd4d0b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2023-23557

An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScrip...

CVE-2023-3294

Cross-site Scripting XSS - DOM in GitHub repository saleor/react-storefront prior to c29aab226f07ca980cc19787dcef101e11b83ef7...

Malicious code in zzr-react-custom-widget (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4cc679d3328b5509a2417ca20a366fb8e1113772f0f3e39a99e6fb2faab531cf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...