CVE-2026-44579

A flaw was found in Next.js. Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A remote attacker can send crafted POST requests to a server action, triggering a request-body handling deadlock. This leaves connections open,...

CVE-2026-44579

Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected...

CVE-2026-44579 Next.js: Denial of Service via connection exhaustion in applications using Cache Components

Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected...

CVE-2026-39371

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger...

Allocation of Resources Without Limits or Throttling

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in parseRequestBody, when parsing Server Action requests. Attackers can trigger ...

EUVD-2026-1464

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router or Remix v2 is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when...

CVE-2026-22030

CVE-2026-22030 affects React Router in combination with Remix v2 server runtime in Framework Mode or with React Server Actions (RSC). The vulnerability allows CSRF on document POST requests to UI routes when using server-side route actions, with no impact in Declarative Mode () or Data Mode (crea...

CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router or Remix v2 is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when...

Exploit for CVE-2025-66478

React2Shell POC https://nextjs.org/blog/CVE-2025-66478 테스...

Exploit for CVE-2025-55182

CVE-2025-55182 – React2Shell RCE Summary Remote Code Exec...

Exploit for CVE-2025-55182

CVE-2025-55182 Exploit Tool CVE-2025-55182 Comprehensive Expl...

EUVD-2025-20869

Malicious code in bioql PyPI...

CVE-2025-53620

The CVE-2025-53620 issue affects @builder.io/qwik-city (Qwik meta-framework) where executing a Qwik Server Action QRL may load the file containing the symbol; if an invalid qfunc is sent, the server does not handle the thrown error, causing a Node.js process exit. This is documented as a vulnerab...

PT-2025-28958 · Builder.Io · @Builder.Io/Qwik-City

Name of the Vulnerable Software and Affected Versions: @builder.io/qwik-city versions prior to 1.13.0 Description: The @builder.io/qwik-city meta-framework for Qwik is susceptible to an issue where improper handling of invalid qfunc during the execution of a Qwik Server Action QRL can lead to a...

CVE-2022-33312

Multiple command injection vulnerabilities exist in the webserver action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The...

Command injection

Multiple command injection vulnerabilities exist in the webserver action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The...

CVE-2022-33313

CVE-2022-33313 affects Robustel R1510 (3.3.0) web_server endpoints. Multiple OS command injection flaws arise from unsafe handling of user-controlled input in several /action/ endpoints (notably /action/import_https_cert_file/, /action/import_cert_file/, and /action/import_sdk_file/). The root ca...

Gitea 输入验证错误漏洞

Gitea is a lightweight Go-based git service developed by the Gitea community. Gitea is vulnerable to an input validation error that stems from the product's failure to determine that a request originated from a trusted user, which could be exploited to send an unintended request to the server...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that 1 enable a server via a server action or 2 enable a search index via an enable index action...