Intel

AIKIDO-2026-73952

@inertiajs/react is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

59

Medium Risk

This Affects:

JS@inertiajs/react
1.0.0 - 2.3.21
Fixed in 2.3.22
Are you affected? Scan for Free

TL;DR

The Head component renders the title prop into a <title> element during server-side rendering without HTML-escaping its value. An application that passes attacker-controlled data as the page title lets an attacker close the title element early and inject markup such as </title><script> into the server-rendered HTML response. Before the fix this allows arbitrary script execution in the victim's browser in the application origin. The fix escapes the title content before it is written into the SSR <title> element.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you use server-side rendering with Head titles derived from untrusted input.

Background info

@inertiajs/react is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 2.3.21.

How to fix this

Upgrade the @inertiajs/react library to the patch version.