CVE-2026-22029
published 2026-01-10CVE-2026-22029: React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open…
PriorityP432medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.77%
51.0th percentile
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| remix-run | react-router | — | — |
| remix-run | react-router | >= 7.0.0 < 7.12.0 | 7.12.0 |
| remix-run | remix-run_router | < 1.23.2 | 1.23.2 |
| remix-run | router | >= 0 < 1.23.2 | 1.23.2 |
| shopify | react-router | 7.0.0 – 7.11.0 | — |
| shopify | remix-run_react | < 1.23.2 | 1.23.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
React Router vulnerable to XSS via Open Redirects
osv·2026-01-08
CVE-2026-22029 [HIGH] React Router vulnerable to XSS via Open Redirects
React Router vulnerable to XSS via Open Redirects
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
> [!NOTE]
> This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``).
GHSA
React Router vulnerable to XSS via Open Redirects
ghsa·2026-01-08
CVE-2026-22029 [HIGH] CWE-79 React Router vulnerable to XSS via Open Redirects
React Router vulnerable to XSS via Open Redirects
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
> [!NOTE]
> This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``).
Red Hat
@remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
vendor_redhat·2026-01-10·CVSS 8.0
CVE-2026-22029 [HIGH] CWE-79 @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
@remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
A cross site scripting flaw has been discovered in the npm react-router and @remix-run/router package
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-22029 grafana: React Router vulnerable to XSS via Open Redirects [fedora-42]
bugzilla·2026-01-12·CVSS 6.1
CVE-2026-22029 [MEDIUM] CVE-2026-22029 grafana: React Router vulnerable to XSS via Open Redirects [fedora-42]
CVE-2026-22029 grafana: React Router vulnerable to XSS via Open Redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug re
Bugzilla
CVE-2026-22029 h3: React Router vulnerable to XSS via Open Redirects [fedora-42]
bugzilla·2026-01-12·CVSS 6.1
CVE-2026-22029 [MEDIUM] CVE-2026-22029 h3: React Router vulnerable to XSS via Open Redirects [fedora-42]
CVE-2026-22029 h3: React Router vulnerable to XSS via Open Redirects [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2026-22029 @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
bugzilla·2026-01-10·CVSS 6.1
CVE-2026-22029 [MEDIUM] CVE-2026-22029 @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
CVE-2026-22029 @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible
Wiz
CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-68470 [HIGH] CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68470 :
React Router vulnerability analysis and mitigation
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Source : NVD
## 6.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
React Router
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Wiz
CVE-2026-22029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-22029 [HIGH] CVE-2026-22029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22029 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode ( ) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Source : NVD
## 6.1
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 8.0
Affected Technologies
https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjxhttps://access.redhat.com/errata/RHSA-2026:13542https://access.redhat.com/errata/RHSA-2026:13548https://access.redhat.com/errata/RHSA-2026:1517https://access.redhat.com/errata/RHSA-2026:17468https://access.redhat.com/errata/RHSA-2026:17469https://access.redhat.com/errata/RHSA-2026:17474https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:20041https://access.redhat.com/errata/RHSA-2026:20042https://access.redhat.com/errata/RHSA-2026:2147https://access.redhat.com/errata/RHSA-2026:2148https://access.redhat.com/errata/RHSA-2026:2149https://access.redhat.com/errata/RHSA-2026:21658https://access.redhat.com/errata/RHSA-2026:2350https://access.redhat.com/errata/RHSA-2026:2456https://access.redhat.com/errata/RHSA-2026:2568https://access.redhat.com/errata/RHSA-2026:2572https://access.redhat.com/errata/RHSA-2026:26413https://access.redhat.com/errata/RHSA-2026:26420https://access.redhat.com/errata/RHSA-2026:2694https://access.redhat.com/errata/RHSA-2026:3087https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/errata/RHSA-2026:3958https://access.redhat.com/errata/RHSA-2026:3959https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/errata/RHSA-2026:5633https://access.redhat.com/errata/RHSA-2026:5636https://access.redhat.com/errata/RHSA-2026:8218https://access.redhat.com/errata/RHSA-2026:8229https://access.redhat.com/errata/RHSA-2026:9848https://access.redhat.com/security/cve/CVE-2026-22029https://bugzilla.redhat.com/show_bug.cgi?id=2428412https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22029.json
2026-01-10
Published