59 matches found
CVE-2026-34077
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components RSC APIs, there is a potential client-side Cross-Site Scripting XSS vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not...
CVE-2026-34077
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components RSC APIs, there is a potential client-side Cross-Site Scripting XSS vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not...
CVE-2026-33245
CVE-2026-33245 affects React Router versions 7.7.0–7.13.1 when using unstable React Server Components (RSC) APIs. The issue is a client-side XSS vulnerability in the RSC redirect handling if redirects originate from untrusted sources. Applications not using the unstable RSC APIs are not affected....
CVE-2026-33245 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components RSC APIs, there is a potential client-side Cross-Site Scripting XSS vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not...
CVE-2026-44575 Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment...
Next.js 安全漏洞
Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.6 to 15.5.16, as well as versions before 16.2.5, have security vulnerabilities. These vulnerabilities stem from deployments that rely on shared caching and have insufficient response partitioning. A cache corruption...
@tanstack/react-start (=1.167.25) potentially affected by CVE-2026-45321 via @tanstack/react-start-rsc (=0.0.5)
@tanstack/react-start-rsc NPM version =0.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/react-start-rsc and may be impacted: - @tanstack/react-start =1.167.25 Source cves: CVE-2026-45321 Source advisory: OSV:GHSA-G7CV-RXG3-HMPX...
MAL-2026-3470 Malicious code in @tanstack/react-start-rsc (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 54678e0e02befdbc43f928e36fa9a25991d3eb222775849d4225eab0480904f1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in @tanstack/react-start-rsc (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 54678e0e02befdbc43f928e36fa9a25991d3eb222775849d4225eab0480904f1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
@tanstack/react-start (=1.167.25) potentially affected by unknown CVE via @tanstack/react-start-rsc (=0.0.5)
@tanstack/react-start-rsc NPM version =0.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/react-start-rsc and may be impacted: - @tanstack/react-start =1.167.25 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3470...
@d-trattner/pidex (>=0.1.1 <=0.1.3), @tanstack/react-start (>=1.167.21 <=1.167.65) +1 more potentially affected by CVE-2026-45321 via @tanstack/react-start-rsc (>=0.0.1 <=0.0.5)
@tanstack/react-start-rsc NPM version =0.0.1, =0.1.1, =1.167.21, =0.1.0, =0.6.0 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKREACTSTARTRSC-16640211...
Use of Weak Hash
Overview next is a react framework. Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is...
Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the rsc cache-busting value can allow an attacker to poison cache entries so users receive the wron...
GHSA-W94C-4VHP-22GX @vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components
Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.6. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh Patches Upgrade immediately to @vitejs/[email protected] or...
@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components
Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.6. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh Patches Upgrade immediately to @vitejs/[email protected] or...
@c0va23/react-router-dev (=7.8.3-alpha.2), @holocron.so/cli (>=0.6.0 <=0.14.1) +15 more potentially affected by CVE-2026-23870 via @vitejs/plugin-rsc (>=0.4.11 <=0.5.24)
@vitejs/plugin-rsc NPM version =0.4.11, =0.6.0, =0.5.0, =0.0.1, =0.0.0-1ae0b37, =0.0.0-experimental-2a6c7bc, =0.0.0-pr-32412-sha-4e0feb24, =1.0.2, =0.1.0, =0.0.1, =1.18.0-rsc.19, =0.1.0, =0.0.1-alpha.0, =1.0.0, =1.0.1 and more Source cves: CVE-2026-23870 Source advisory:...
GHSA-V457-WXVJ-P9W9 @vitejs/plugin-rsc has a Denial of Service with React Server Components
Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg Patches Upgrade immediately to @vitejs/[email protected] or...
@vitejs/plugin-rsc has a Denial of Service with React Server Components
Impact @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg Patches Upgrade immediately to @vitejs/[email protected] or...
CVE-2021-27221
MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work...
Exploit for Deserialization of Untrusted Data in Facebook React
CVE-2025-55182-Rea...