416 matches found
VulnCheck KEV: CVE-2024-46982
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router this does not affect the app router. When this crafted request is sent it could coerce...
CVE-2024-45047
svelte performance oriented web framework. A potential mXSS vulnerability exists in Svelte for versions up to but not including 4.2.19. Svelte improperly escapes HTML on server-side rendering. The assumption is that attributes will always stay as such, but in some situation the final DOM tree...
CVE-2022-24717
ssr-pages is an HTML page builder for the purpose of server-side rendering SSR. In versions prior to 0.1.5, a cross site scripting XSS issue can occur when providing untrusted input to the redirect.link property as an argument to the buildMessagePageOptions function. While there is no known...
PT-2025-19842 · Qualcomm · Snapdragon +19
Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue is related to memory corruption that occurs during concurrent Server-Side Rendering SSR execution. This corruption is caused by a race condition on the global maps list...
SUSE CVE-2025-43864
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...
CVE-2025-43864
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...
CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...
React Router allows a DoS via cache poisoning by forcing SPA mode
Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this...
CVE-2022-24718
ssr-pages is an HTML page builder for the purpose of server-side rendering SSR. In versions prior to 0.1.4, a path traversal issue can occur when providing untrusted input to the svg property as an argument to the buildMessagePageOptions function. While there is no known workaround at this time,...
Cache Poisoning
Next is vulnerable to Cache Poisoning. The vulnerability is due to improper handling of crafted HTTP requests, causing the incorrect caching of non-dynamic server-side rendered routes in the pages router. It allows an attacker to manipulate the cache, potentially serving stale or incorrect conten...
GHSA-GP8F-8M3G-QVJ9 Next.js Cache Poisoning
Impact By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router this does not affect the app router. When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a...
CVE-2024-46982
CVE-2024-46982 affects Next.js pages router SSR caching: crafted requests can poison non-dynamic SSR routes (e.g., pages/dashboard.tsx) and lead to caching of sensitive responses with Cache-Control: s-maxage=1, stale-while-revalidate, potentially spreading via upstream CDNs. Affected versions are...
Cross Site Scripting(XSS)
Svelte is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper HTML escaping during server-side rendering, allowing an attacker to inject malicious content and execute unauthorized scripts in the victim's browser...
GHSA-8266-84WP-WV5C Svelte has a potential mXSS vulnerability due to improper HTML escaping
Summary A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19. Details Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules: - If the string is an attribute value: - " - " - & - & - Other characters - No conversion -...
PT-2024-31398 · Svelte · Svelte
Name of the Vulnerable Software and Affected Versions: Svelte versions prior to 4.2.19 Description: A potential mXSS vulnerability exists in Svelte due to improper HTML escaping on server-side rendering. The issue arises when the final DOM tree rendered on browsers differs from what Svelte expect...
Svelte 跨站脚本漏洞
Svelte is a new way to build web applications from Svelte Open Source. A cross-site scripting vulnerability exists in Svelte 4.2.19 and earlier versions that stems from improper HTML escaping during server-side rendering, which could lead to a variant cross-site scripting attack, especially when...
Cross-Site Scripting
@builder.io/qwik is vulnerable to Cross-Site Scripting. The vulnerability is due to improper escaping of HTML on server-side rendering, which converts strings according to the rules in the render-ssr.ts...
GHSA-2RWJ-7XQ8-4GX4 Qwik has a potential mXSS vulnerability due to improper HTML escaping
Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.tsL1182-L12...
Qwik 安全漏洞
Qwik is a micro web framework open-sourced by Qwik Dev. A security vulnerability exists in Qwik version 1.6.0 and earlier versions that stems from incorrectly escaping HTML during server-side rendering, resulting in a cross-site scripting vulnerability...
GHSA-VF6R-87Q4-2VJF nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR
Summary The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies. Details The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL...