CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23870
https://notcve.org/view.php?id=CVE-2026-23870
06 May 2026 — A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5). • https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2026-23869
https://notcve.org/view.php?id=CVE-2026-23869
08 Apr 2026 — A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered by sending specially crafted HTTP requests to Server Function endpoints.The payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable. • https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg • CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 1%CPEs: 9EXPL: 0CVE-2026-23864
https://notcve.org/view.php?id=CVE-2026-23864
26 Jan 2026 — Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgradi... • https://www.facebook.com/security/advisories/cve-2026-23864 • CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 84%CPEs: 9EXPL: 6CVE-2025-55182 – Meta React Server Components Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-55182
03 Dec 2025 — A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how Reac... • https://packetstorm.news/files/id/212477 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66081 – WordPress Head Meta Data plugin <= 20250327 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-66081
21 Nov 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Head Meta Data head-meta-data allows Stored XSS.This issue affects Head Meta Data: from n/a through <= 20250327. The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 20250327 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject ... • https://vdp.patchstack.com/database/Wordpress/Plugin/head-meta-data/vulnerability/wordpress-head-meta-data-plugin-20250327-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-55178
https://notcve.org/view.php?id=CVE-2025-55178
24 Sep 2025 — Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote code execution. • https://github.com/llamastack/llama-stack/pull/3281 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 11CVE-2025-27591 – Below Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-27591
11 Mar 2025 — A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow. Below versions prior to 0.9.0 suffer from a local privilege escalation vulnerability due to poor permissions. • https://packetstorm.news/files/id/213355 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23907 – WordPress SOCIAL.NINJA plugin <= 0.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-23907
16 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in closed SOCIAL.NINJA allows Stored XSS. This issue affects SOCIAL.NINJA: from n/a through 0.2. The SOCIAL.NINJA plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages t... • https://patchstack.com/database/wordpress/plugin/seo-meta/vulnerability/wordpress-social-ninja-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2024-50050
https://notcve.org/view.php?id=CVE-2024-50050
23 Oct 2024 — Llama Stack prior to revision 7a8aa775e5a267cf8660d83140011a0b7f91e005 used pickle as a serialization format for socket communication, potentially allowing for remote code execution. Socket communication has been changed to use JSON instead. • https://www.facebook.com/security/advisories/cve-2024-50050 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43278 – WordPress Meta Field Block plugin <= 1.2.13 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43278
16 Aug 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Phi Phan Meta Field Block allows Stored XSS.This issue affects Meta Field Block: from n/a through 1.2.13. The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitr... • https://patchstack.com/database/vulnerability/display-a-meta-field-as-block/wordpress-meta-field-block-plugin-1-2-13-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •