4917 matches found
EUVD-2026-1467
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate, , or redirect, the app performs a navigation/redirect to an external URL. This is only an...
CVE-2025-68470 React Router has unexpected external redirect via untrusted paths
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate, , or redirect, the app performs a navigation/redirect to an external URL. This is only an...
CVE-2025-68470
CVE-2025-68470 affects React Router (versions 6.0.0–6.30.1 and 7.0.0–7.9.5). An attacker-supplied path can cause a navigation/redirect to an external URL when navigating via navigate(), Link, or redirect(), if untrusted content is used in navigation paths. The issue is addressed in React Router b...
CVE-2025-68470 React Router has unexpected external redirect via untrusted paths
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate, , or redirect, the app performs a navigation/redirect to an external URL. This is only an...
react-router 跨站脚本漏洞
react-router is a Remix open source declarative routing for React. A cross-site scripting vulnerability exists in react-router versions 7.0.0 through 7.8.2, which stems from a cross-site scripting vulnerability when generating script:ld+json tags in framework mode, which could lead to the executi...
PT-2026-2120
Name of the Vulnerable Software and Affected Versions @remix-run/react versions prior to 2.17.3 react-router versions 7.0.0 through 7.11.0 Description React Router, a router for React, contains a cross-site scripting XSS issue within the API when operating in Framework Mode during Server-Side...
react-router 跨站脚本漏洞
react-router is a Remix open source declarative routing for React. A cross-site scripting vulnerability exists in React Router version 7.11.0 and earlier, which stems from the fact that an open navigation redirect may lead to an insecure URL, which could result in accidental client-side execution...
react-router 跨站请求伪造漏洞
react-router is a Remix open source declarative routing for React. A cross-site request forgery vulnerability exists in react-router version 7.11.0 and earlier, which stems from the vulnerability to a cross-site request forgery attack against document POST requests when using a server-side route...
PT-2026-1914
Name of the Vulnerable Software and Affected Versions React Router versions 6.0.0 through 6.30.1 React Router versions 7.0.0 through 7.9.5 Description A crafted path supplied by an attacker can cause a React Router application to navigate or redirect to an external URL when using navigate, , or...
react-router 输入验证错误漏洞
react-router is a Remix open source declarative routing for React. An input validation error vulnerability exists in React Router versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, which originates in specially crafted routes and could lead to redirection attacks...
react-router 跨站脚本漏洞
react-router is a Remix open source declarative routing for React. A cross-site scripting vulnerability exists in React Router versions 7.0.0 through 7.11.0 that stems from the use of untrusted content to generate keys during server-side rendering, which could lead to a cross-site scripting attac...
PT-2026-2138
Name of the Vulnerable Software and Affected Versions react-router versions 7.0.0 through 7.11.0 @remix-run/server-runtime versions prior to 2.17.3 Description React Router, used as a router for React applications, is susceptible to Cross-Site Request Forgery CSRF attacks. This affects document...
CVE-2023-25933
A type confusion bug in TypedArray prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could have been used by a malicious attacker to execute arbitrary code via untrusted JavaScript. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, mos...
CVE-2021-31712
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
CVE-2020-12113
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used...
CVE-2023-25572
react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...
CVE-2022-31103
lettersanitizer is a DOM-based HTML email sanitizer for in-browser email rendering. All versions of lettersanitizer below 1.0.2 are affected by a denial of service issue when processing a CSS at-rule @keyframes. This package is depended on by react-letter, therefore everyone using react-letter is...
EUVD-2026-1839
Malicious code in secguest-react-lib npm...
React Router has CSRF issue in Action/Server Action Request Processing
React Router or Remix v2 is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. !NOTE This does not impact your application if you are using Declarative...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to the improper origin checks of UI route submissions in server-side route action handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted...