Can v0.dev components have XSS vulnerabilities?

React, which v0.dev generates code for, provides built-in XSS protection by escaping values embedded in JSX by default. However, v0-generated code can still introduce XSS risks if it uses dangerouslySetInnerHTML, constructs URLs from user input without sanitization, or renders user-provided content in attributes like href or src. Components that display dynamic content from APIs or databases are particularly at risk if the data source is compromised. Server-side rendering can also introduce XSS if proper escaping is not applied during hydration. UNPWNED scans deployed applications for reflected and stored XSS vulnerabilities regardless of how the code was generated.