CVE-2026-21884
published 2026-01-10CVE-2026-21884: React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React…
PriorityP344high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
EPSS
0.47%
37.3th percentile
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| remix-run | react | >= 0 < 2.17.3 | 2.17.3 |
| remix-run | react-router | — | — |
| remix-run | react-router | — | — |
| remix-run | react-router | >= 7.0.0 < 7.12.0 | 7.12.0 |
| shopify | react-router | 7.0.0 – 7.11.0 | — |
| shopify | remix-run_react | < 2.17.3 | 2.17.3 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
React Router SSR XSS in ScrollRestoration
osv·2026-01-08
CVE-2026-21884 [HIGH] React Router SSR XSS in ScrollRestoration
React Router SSR XSS in ScrollRestoration
A XSS vulnerability exists in in React Router's `` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.
> [!NOTE]
> This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
GHSA
React Router SSR XSS in ScrollRestoration
ghsa·2026-01-08
CVE-2026-21884 [HIGH] CWE-79 React Router SSR XSS in ScrollRestoration
React Router SSR XSS in ScrollRestoration
A XSS vulnerability exists in in React Router's `` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.
> [!NOTE]
> This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
Red Hat
react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
vendor_redhat·2026-01-10·CVSS 8.2
CVE-2026-21884 [HIGH] CWE-79 react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
A cross site scripting flaw has been discovered in the npm react-router package. The cross site scripting (
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
blogs_hackernews·2026-03-23
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.
This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.
It’s a mix of old problems that never go away and new methods that are harder to detect. Th
Wiz
CVE-2026-21884 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-21884 [HIGH] CVE-2026-21884 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21884 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode ( ) or Data Mode (createBrowserRouter/ ) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Source : NVD
## 8.2
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologie
Wiz
CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-68470 [HIGH] CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68470 :
React Router vulnerability analysis and mitigation
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Source : NVD
## 6.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
React Router
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Bugzilla
CVE-2026-21884 react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
bugzilla·2026-01-10·CVSS 8.2
CVE-2026-21884 [HIGH] CVE-2026-21884 react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
CVE-2026-21884 react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible Autom
https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/errata/RHSA-2026:3958https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/security/cve/CVE-2026-21884https://bugzilla.redhat.com/show_bug.cgi?id=2428421https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21884.json
2026-01-10
Published