react · threatengine.sh

CVE-2026-23864

>= 19.0.0 and < 19.0.4

Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-pa

7.5HIGH

CVE-2025-67779

all versions

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of ser

7.5HIGH

CVE-2025-55184

>= 19.0.0 and < 19.0.2

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.

7.5HIGH

CVE-2025-55183

>= 19.0.0 and < 19.0.2

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.

5.3MEDIUM

CVE-2025-55182

all versions

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19

10.0CRITICAL

CVE-2023-5654

< 4.28.4

The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content

6.5MEDIUM

CVE-2020-1920

>= 0.59.0 and < 0.64.1

A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use exce

7.5HIGH

CVE-2021-24033

< 11.0.4

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command str

5.6MEDIUM

CVE-2018-6342

>= 1.0.0 and < 1.0.4

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launc

9.8CRITICAL

CVE-2018-6341

>= 16.0.0 and < 16.0.1

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-t

6.1MEDIUM

facebook react