CVE-2026-27612: Dangerouslysetinnerhtml Dynamic Interpolation
Constructing HTML via inline string interpolation and passing it directly to `dangerouslySetInnerHTML` bypasses React's XSS protections. If the interpolated variables contain unvalidated user input, an attacker can exploit this to perform Cross-Site Scripting (XSS). Provide standard JSX element children instead, which automatically escape HTML entities.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
JS
JSgreprules fetch cve-2026-27612-dangerouslysetinnerhtml-dynamic-interpolation --engine opengrepDescription
Constructing HTML via inline string interpolation and passing it directly to `dangerouslySetInnerHTML` bypasses React's XSS protections. If the interpolated variables contain unvalidated user input, an attacker can exploit this to perform Cross-Site Scripting (XSS). Provide standard JSX element children instead, which automatically escape HTML entities.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0