The term is always ambiguous. But react is generally understood as a client library and client-side vulnerabilities are hardly a new thing. XSS exists as a whole subfield of study precisely because of the difficulty of keeping site code from getting fooled by malicious input.

Basically you're technically correct with your quip, but engaging in some pretty awful security analysis. IMHO most people reading this headline are not going to understand that they need to audit their server dependencies.