@inertiajs/react is vulnerable to Cross-Site Scripting (XSS)
59
Medium Risk
The adapter builds the server-rendered document head and inserts the title prop into a <title> element by string concatenation. Before the fix the title value is not HTML-escaped, so an application that renders untrusted data in the page title emits it verbatim into the SSR HTML. An attacker can break out of the title element with markup such as </title><script> to execute arbitrary script in the victim's browser. The fix HTML-escapes the title content before inserting it into the head output.
You are affected if you are using a version that falls within the vulnerable range and your application renders untrusted input in the page title with server-side rendering (SSR) enabled.
@inertiajs/react is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 2.3.21 and 3.0.0 - 3.0.3.
Upgrade the @inertiajs/react and/or the @inertiajs/vue3 library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant