Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-14802 |
|
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the...
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the...
|
| CVE-2026-58460 |
|
Path Traversal in react (CVE-2026-58460)
path traversal in react (CVE-2026-58460). Data can be tampered with by attackers.
|
| CVE-2026-12048 |
|
Cross-Site Scripting (XSS) in react (CVE-2026-12048)
cross-site scripting in react (CVE-2026-12048). Confidential information can be exposed externally.
|
| CVE-2026-12047 |
|
Cross-Site Scripting (XSS) in react (CVE-2026-12047)
cross-site scripting in react (CVE-2026-12047). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-53663 |
|
Cross-Site Request Forgery (CSRF) in react-router (CVE-2026-53663)
vulnerability in react-router (CVE-2026-53663). Risk of unauthorized operations or information disclosure. Exploitable via ``createBrowserRouter``. Mitigation: upgrade to `7.15.1` or later.
|
| CVE-2026-44496 |
|
Vulnerability in axios (CVE-2026-44496)
vulnerability in axios (CVE-2026-44496). Risk of unauthorized operations or information disclosure. Exploitable via ``document.cookie``. Mitigation: upgrade to `0.32.0` or later.
|
| CVE-2026-42342 |
|
Vulnerability in react-router (CVE-2026-42342)
vulnerability in react-router (CVE-2026-42342). Risk of unauthorized operations or information disclosure. Exploitable via ``createBrowserRouter``. Mitigation: upgrade to `7.15.0` or later.
|
| CVE-2026-42211 |
|
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
|
| CVE-2026-40181 |
|
Open Redirect in react-router (CVE-2026-40181)
vulnerability in react-router (CVE-2026-40181). Risk of unauthorized operations or information disclosure. Exploitable via ``redirect``. Mitigation: upgrade to `6.30.4` or later.
|
| CVE-2026-34077 |
|
Vulnerability in react-router (CVE-2026-34077)
vulnerability in react-router (CVE-2026-34077). Risk of unauthorized operations or information disclosure. Exploitable via ``createBrowserRouter``. Mitigation: upgrade to `7.14.0` or later.
|
| CVE-2026-33245 |
|
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
|
| CVE-2026-33244 |
|
Cross-Site Scripting (XSS) in react-router (CVE-2026-33244)
cross-site scripting in react-router (CVE-2026-33244). Risk of unauthorized operations or information disclosure. Exploitable via ``Location``. Mitigation: upgrade to `7.13.2` or later.
|
| CVE-2026-7459 |
|
Vulnerability in wordpress (CVE-2026-7459)
vulnerability in wordpress (CVE-2026-7459). Successful exploitation can lead to full system takeover.
|
| CVE-2026-9349 |
|
Information Disclosure in react (CVE-2026-9349)
vulnerability in react (CVE-2026-9349). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-30691 |
|
Cross-Site Scripting (XSS) in @cyntler/react-doc-viewer (CVE-2026-30691)
cross-site scripting in @cyntler/react-doc-viewer (CVE-2026-30691). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-44501 |
|
Unsafe Deserialization in react (CVE-2026-44501)
vulnerability in react (CVE-2026-44501). Risk of unauthorized operations or information disclosure. Exploitable via `GET /callback/oidc`. Mitigation: upgrade to `1.5.0.3` or later.
|
| CVE-2026-45109 |
|
Vulnerability in next (CVE-2026-45109)
vulnerability in next (CVE-2026-45109). Confidential information can be exposed externally. Exploitable via ``middleware.ts``. Mitigation: upgrade to `16.2.6` or later.
|
| CVE-2026-44572 |
|
Vulnerability in next (CVE-2026-44572)
vulnerability in next (CVE-2026-44572). Risk of unauthorized operations or information disclosure. Exploitable via ``Location``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44483 |
|
Vulnerability in @rvf/set-get (CVE-2026-44483)
vulnerability in @rvf/set-get (CVE-2026-44483). Data can be tampered with by attackers. Exploitable via ``setPath``. Mitigation: upgrade to `6.0.4` or later.
|
| CVE-2026-44581 |
|
Cross-Site Scripting (XSS) in next (CVE-2026-44581)
cross-site scripting in next (CVE-2026-44581). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44582 |
|
Vulnerability in next (CVE-2026-44582)
vulnerability in next (CVE-2026-44582). Risk of unauthorized operations or information disclosure. Exploitable via ``_rsc``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44580 |
|
Cross-Site Scripting (XSS) in next (CVE-2026-44580)
cross-site scripting in next (CVE-2026-44580). Risk of unauthorized operations or information disclosure. Exploitable via ``beforeInteractive``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44579 |
|
Vulnerability in next (CVE-2026-44579)
vulnerability in next (CVE-2026-44579). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44577 |
|
Vulnerability in next (CVE-2026-44577)
vulnerability in next (CVE-2026-44577). Risk of unauthorized operations or information disclosure. Exploitable via ``images.localPatterns``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44578 |
|
SSRF (Server-Side Request Forgery) in next (CVE-2026-44578)
SSRF in next (CVE-2026-44578). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44576 |
|
Vulnerability in next (CVE-2026-44576)
vulnerability in next (CVE-2026-44576). Risk of unauthorized operations or information disclosure. Exploitable via ``RSC``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44575 |
|
Vulnerability in next (CVE-2026-44575)
vulnerability in next (CVE-2026-44575). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44574 |
|
Vulnerability in next (CVE-2026-44574)
vulnerability in next (CVE-2026-44574). Confidential information can be exposed externally. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-44573 |
|
Authorization Flaw in next (CVE-2026-44573)
vulnerability in next (CVE-2026-44573). Confidential information can be exposed externally. Exploitable via ``i18n``. Mitigation: upgrade to `16.2.5` or later.
|
| CVE-2026-42192 |
|
Cross-Site Scripting (XSS) in react (CVE-2026-42192)
cross-site scripting in react (CVE-2026-42192). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-42190 |
|
Cross-Site Request Forgery (CSRF) in rwsdk (CVE-2026-42190)
vulnerability in rwsdk (CVE-2026-42190). Data can be tampered with by attackers. Exploitable via ``rwsdk``. Mitigation: upgrade to `1.2.3` or later.
|
| CVE-2026-23869 |
|
Vulnerability in react (CVE-2026-23869)
vulnerability in react (CVE-2026-23869). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-23864 |
|
Vulnerability in react (CVE-2026-23864)
vulnerability in react (CVE-2026-23864). Risk of unauthorized operations or information disclosure.
|
| CVE-2025-61686 |
|
Path Traversal in react (CVE-2025-61686)
path traversal in react (CVE-2025-61686). Data can be tampered with by attackers.
|
| CVE-2025-59057 |
|
Cross-Site Scripting (XSS) in react (CVE-2025-59057)
cross-site scripting in react (CVE-2025-59057). Confidential information can be exposed externally.
|
| CVE-2026-21884 |
|
Cross-Site Scripting (XSS) in react (CVE-2026-21884)
cross-site scripting in react (CVE-2026-21884). Confidential information can be exposed externally.
|
| CVE-2026-22029 |
|
Cross-Site Scripting (XSS) in react (CVE-2026-22029)
cross-site scripting in react (CVE-2026-22029). Confidential information can be exposed externally.
|
| CVE-2025-52078 |
|
Unrestricted File Upload in react (CVE-2025-52078)
vulnerability in react (CVE-2025-52078). Risk of unauthorized operations or information disclosure.
|
| CVE-2017-7916 |
|
Vulnerability in react (CVE-2017-7916)
vulnerability in react (CVE-2017-7916). Confidential information can be exposed externally.
|
| CVE-2017-7920 |
|
Authentication Bypass in react (CVE-2017-7920)
authentication bypass in react (CVE-2017-7920). Confidential information can be exposed externally.
|