@unhead/angular (>=3.0.0 <=3.0.0-rc.4), @unhead/react (>=3.0.0 <=3.0.0-rc.4) +4 more potentially affected by unknown CVE via unhead (>=3.0.0-beta.5 <=3.0.0)

unhead NPM version =3.0.0-beta.5, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0-rc.4 Source cves: unknown CVE Source advisory: SNYK:JS-UNHEAD-15989796...

@vitejs/plugin-rsc has a Denial of Service with React Server Components

Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg Patches Upgrade immediately to @vitejs/[email protected] or...

GHSA-V457-WXVJ-P9W9 @vitejs/plugin-rsc has a Denial of Service with React Server Components

Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg Patches Upgrade immediately to @vitejs/[email protected] or...

GHSA-Q4GF-8MX6-V5V3 Next.js has a Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this...

Next.js has a Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this...

EUVD-2026-20584

React Server Components have a Denial of Service Vulnerability...

React Server Components have a Denial of Service Vulnerability

Impact A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0, 19.1.0 and 19.2.0. The vulnerability is triggered by sending specially crafted HTTP requests...

@cedarjs/api-server (>=1.0.0-canary.12863 <=9.0.0-canary.1784), @cedarjs/cli (>=1.0.0-canary.12863 <=9.0.0-canary.1784) +12 more potentially affected by CVE-2026-23869 via react-server-dom-webpack (>=19.2.1 <=19.2.4)

react-server-dom-webpack NPM version =19.2.1, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =3.0.0-canary.13429, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863, =1.0.0-canary.12863,...

@amazeelabs/bridge-waku (>=1.1.9 <=2.0.1), @amazeelabs/executors (>=3.1.12 <=3.1.14) +20 more potentially affected by CVE-2026-23869 via react-server-dom-webpack (>=19.0.0 <=19.0.1)

react-server-dom-webpack NPM version =19.0.0, =1.1.9, =3.1.12, =1.4.7, =1.1.3, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859,...

GHSA-479C-33WC-G2PG React Server Components have a Denial of Service Vulnerability

Impact A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0, 19.1.0 and 19.2.0. The vulnerability is triggered by sending specially crafted HTTP requests...

Security Bulletin: Vulnerabilities in lodash, qs might affect IBM Storage Defender Sentinel Anomaly Scan Engine.

Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by vulnerabilities in lodash, qs, and react-router. Vulnerabilities include allowing an attacker to cause improper modification of object attributes, open redirect, and denial of service. More details are described by the...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of React Router

Summary Due to use of React Router, DevOps Test Performance and Rational Performance Tester contain a potential Cross-Site Scripting XSS vulnerability. CVE-2026-22029 Vulnerability Details CVEID:CVE-2026-22029 DESCRIPTION: React Router is a router for React. In @remix-run/router version prior to...

Exploit for Deserialization of Untrusted Data in Facebook React

markdown Summary CVE-2025-55182 Scanner is a high-perfor...

Exploit for CVE-2026-23869

CVE-2026-23869 - Proof of Concept PoC Description This...

Security Bulletin: XSS Vulnerability in React Router meta()/Meta APIs During SSR, affects watsonx.data

Summary React Router @remix-run/react 1.15.0–2.17.0, react-router 7.0.0–7.8.2 is vulnerable to XSS in meta/Meta APIs when generating script:ld+json tags in Framework Mode. Arbitrary JavaScript could execute during SSR if untrusted content is used. No impact occurs in Declarative Mode BrowserRoute...

📄 React Server 19.2.0 Remote Code Execution

React Server versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 proof of concept remote code execution exploit. Exploit Title: React Server 19.2.0 - Remote Code Execution Date: 2025-12-05 Exploit Author: EynaExp https://github.com/EynaExp Vendor Homepage: https://react.dev Software Link:...

@saasmakers/ui (>=0.1.88 <=0.1.117), @styleframe/app (>=0.0.1 <=0.1.1) +13 more potentially affected by CVE-2026-39315 via unhead (>=2.0.0-alpha.0 <=2.1.12)

unhead NPM version =2.0.0-alpha.0, =0.1.88, =0.0.1, =1.1.0, =2.0.0, =2.0.0, =2.0.0-alpha.0, =2.0.0, =2.0.0, =2.0.0, =1.2.0, =0.0.2, =0.17.0, =2.0.0-alpha.8, =0.1.0-beta.10, =0.1.0-beta.14 Source cves: CVE-2026-39315 Source advisory: SNYK:JS-UNHEAD-15965923...

React2DoS (CVE-2026-23869): When the Flight Protocol Crashes at Takeoff

Executive Summary In this article, we disclose a new high severity unauthenticated remote denial‑of‑service vulnerability we identified and reported in React Server Components that we’ve dubbed “React2DoS”. In this blog, we’ll analyze its impact and place it in the broader context of recently fou...

K000160686: React framework vulnerability CVE-2026-23869

Security Advisory Description A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4. T...

React Server 19.2.0 - Remote Code Execution

Exploit Title: React Server 19.2.0 - Remote Code Execution Date: 2025-12-05 Exploit Author: EynaExp https://github.com/EynaExp Vendor Homepage: https://react.dev Software Link: https://react.dev/reference/rsc/server-components Version: 19.0.0, 19.1.0, 19.1.1, 19.2.0 Tested on: Windows,Linux CVE :...