PT-2026-45799

Name of the Vulnerable Software and Affected Versions React Router versions 7.5.1 through 7.13.1 Description When using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS—a vulnerability where malicious scripts...

PT-2026-45835

Name of the Vulnerable Software and Affected Versions react-router versions 7.0.0 through 7.14.x @remix-run/server-runtime versions 2.10.0 through 2.17.4 Description Certain crafted requests can cause unbounded path expansion in the " manifest" endpoint, leading to disproportionate server resourc...

PT-2026-45826

Name of the Vulnerable Software and Affected Versions React Router versions 7.7.0 through 7.13.1 Description A client-side Cross-Site Scripting XSS issue exists in the redirect handling of the unstable React Server Components RSC APIs. This occurs when redirects originate from untrusted sources...

PT-2026-45832

Name of the Vulnerable Software and Affected Versions React Router versions 6.7.0 through 6.30.3 React Router versions 7.0.0 through 7.14.0 Description Certain URLs passed to the redirect function can trigger an open redirect to an external domain. This occurs because path values starting with //...

PT-2026-45834

Name of the Vulnerable Software and Affected Versions React Router versions 7.0.0 through 7.14.1 Description When using Framework Mode, a combination of steps could allow unauthorized remote code execution RCE through external requests. This occurs because the vendored turbo-stream v2 can be abus...

PT-2026-45828

Name of the Vulnerable Software and Affected Versions React Router versions 7.7.0 through 7.13.1 React Router versions prior to 7.14.0 Remix versions 2.9.0 and later Description Two distinct issues were identified. First, a client-side Cross-Site Scripting XSS flaw exists in the handling of...

MAL-2026-5122 Malicious code in picnic-react-mise-en-place (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d57f4579f4e0842567d9e59bfa74af355f457cbfdfeabe0f65a9e6952f79aa34 The OpenSSF Package Analysis project identified 'picnic-react-mise-en-place' @ 9999.0.0 npm as malicious. It is considered malicious because: -...

Malicious code in picnic-react-mise-en-place (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d57f4579f4e0842567d9e59bfa74af355f457cbfdfeabe0f65a9e6952f79aa34 The OpenSSF Package Analysis project identified 'picnic-react-mise-en-place' @ 9999.0.0 npm as malicious. It is considered malicious because: -...

Exploit for CVE-2025-66478

CVE-2025-66478-Research-Proof-of-Concept Overview This re...

Malicious Package

Overview appkit-react-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in appkit-react-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49e8fbd1c8061ffedb22f37a8fa90ca96d9830f45d7d318f421681c558aec29d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5057 Malicious code in appkit-react-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 49e8fbd1c8061ffedb22f37a8fa90ca96d9830f45d7d318f421681c558aec29d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview @citi-icg-158830/icgds-react-css is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

MAL-2026-5078 Malicious code in raven-i18n-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 16965d1a02185ab8a7880951f6889127e66f0c1b3ffc718023ce2ac3593bffc7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in raven-i18n-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 16965d1a02185ab8a7880951f6889127e66f0c1b3ffc718023ce2ac3593bffc7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in react-svg-animator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware df0945fc4ef48dfcf552b844a84717606557a3d2ec592aa486a6f464eb290eb4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview react-svg-animator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-5079 Malicious code in react-svg-animator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware df0945fc4ef48dfcf552b844a84717606557a3d2ec592aa486a6f464eb290eb4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview @citi-icg-158830/elemental-ui-react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

CVE-2026-23870

A flaw was found in the React Server DOM components, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. A remote attacker could exploit this denial of service DoS vulnerability by sending specially crafted HTTP requests to server function endpoints. This...