Intel

AIKIDO-2026-842900

@inertiajs/react is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

59

Medium Risk

This Affects:

JS@inertiajs/react
1.0.0 - 2.3.21
Fixed in 2.3.22
3.0.0 - 3.0.3
Fixed in 3.1.0
Are you affected? Scan for Free

TL;DR

The adapter builds the server-rendered document head and inserts the title prop into a <title> element by string concatenation. Before the fix the title value is not HTML-escaped, so an application that renders untrusted data in the page title emits it verbatim into the SSR HTML. An attacker can break out of the title element with markup such as </title><script> to execute arbitrary script in the victim's browser. The fix HTML-escapes the title content before inserting it into the head output.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application renders untrusted input in the page title with server-side rendering (SSR) enabled.

Background info

@inertiajs/react is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 2.3.21 and 3.0.0 - 3.0.3.

How to fix this

Upgrade the @inertiajs/react and/or the @inertiajs/vue3 library to the patch version.