CVE-2018-6341
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.
We have discovered 41 live websites that are affected by CVE-2018-6341.
Affected Software
| Product |  React JS |
| Category | JavaScript Frameworks |
| Vulnerable Domains | 41 live websites (less than 0.1% of React JS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 2 versions ( 5.00% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Dec 31, 2018
- Updated - May 6, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2018-6341 United States | 29 websites |
 Germany | 5 websites |
 Canada | 2 websites |
 China | 1 websites |
 GB | 1 websites |
 India | 1 websites |
 Italy | 1 websites |
 Netherlands | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2018-6341| .com | 28 websites |
| .at | 2 websites |
| .ca | 2 websites |
| .nl | 2 websites |
| .ch | 1 websites |
| .de | 1 websites |
| .eu | 1 websites |
| .it | 1 websites |
| .org | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2018-6341
Top websites that are affected by CVE-2018-6341. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | ***,*** | |
| ******.me | United States | *,***,*** | |
| ******.*******.com | United States | *,***,*** | |
| ********.*****.ca | Canada | *,***,*** | |
| **************.com | United States | *,***,*** | |
| ***********.**********.com | United States | *,***,*** | |
| ********.**********.com | United States | *,***,*** | |
| *************.nl | United States | **,***,*** | |
| *************.at | United States | **,***,*** | |
| *****.**********.com | United States | **,***,*** |
FAQ
CVE-2018-6341 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in React JS
A total of 41 websites have been identified as vulnerable to CVE-2018-6341, based on global website indexing conducted by WebTechSurvey.
The React JS is affected by the CVE-2018-6341 vulnerability.
React JS versions up to and including 16.4.2 are vulnerable to CVE-2018-6341.