CVE-2026-33244
published 2026-06-02CVE-2026-33244: React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
4.1th percentile
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in version 7.13.2.
Affected
93 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| ansible-on-clouds | aoc-azure-aap-installer-rhel9 | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| clusterlabs | pcs | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| exploit-intelligence-tech-preview | agent-client-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |
| migration-toolkit-virtualization | mtv-console-plugin-rhel9 | — | — |
| mozilla | thunderbird | — | — |
| mta | mta-ui-rhel8 | — | — |
| mta | mta-ui-rhel9 | — | — |
| mtv-candidate | mtv-console-plugin-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| network-observability | network-observability-console-plugin-compat-rhel9 | — | — |
| network-observability | network-observability-console-plugin-rhel9 | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
ghsa·2026-06-03
CVE-2026-33244 [MEDIUM] CWE-79 React Router has stored XSS via unescaped Location header in prerendered redirect HTML
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
When using React Router v7 [Framework Mode](https://reactrouter.com/start/modes#framework) with [Pre-rendering](https://reactrouter.com/how-to/pre-rendering) enabled, an improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source.
> [!NOTE]
> This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
VulDB
remix-run react-router up to 7.13.1 HTML File createBrowserRouter/ HTML injection (GHSA-f22v-gfqf-p8f3)
vuldb·2026-06-02·CVSS 5.4
CVE-2026-33244 [MEDIUM] remix-run react-router up to 7.13.1 HTML File createBrowserRouter/ HTML injection (GHSA-f22v-gfqf-p8f3)
A vulnerability, which was classified as problematic, has been found in remix-run react-router up to 7.13.1. Affected by this vulnerability is an unknown functionality of the file createBrowserRouter/ of the component HTML File Handler. This manipulation causes HTML injection.
This vulnerability is registered as CVE-2026-33244. Remote exploitation of the attack is possible. No exploit is available.
It is advisable to upgrade the affected component.
Red Hat
react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
vendor_redhat·2026-06-02·CVSS 5.4
CVE-2026-33244 [MEDIUM] CWE-79 react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in version 7.13.2.
A flaw was found in react-router. When using Framework Mode with pre-rendering enabled, an attacker can exploit improper handling of the HTTP `Location` header value. This can lead to Cross-Site Scripting (XSS), allowing malicious scripts t
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33244 cachelib: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 cachelib: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
CVE-2026-33244 cachelib: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-33244 freeipa: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 freeipa: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
CVE-2026-33244 freeipa: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Hello, as per https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3 the freeipa WebUI, does not use framework mode nor pre-rendering, therefore we can safely waive.
Bugzilla
CVE-2026-33244 fbthrift: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 fbthrift: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
CVE-2026-33244 fbthrift: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-33244 fcitx5: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 fcitx5: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
CVE-2026-33244 fcitx5: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33244 cachelib: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [epel-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 cachelib: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [epel-all]
CVE-2026-33244 cachelib: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-33244 h3: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 h3: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
CVE-2026-33244 h3: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33244 fbthrift: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [epel-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 fbthrift: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [epel-all]
CVE-2026-33244 fbthrift: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-33244 llama-cpp: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
bugzilla·2026-06-16·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 llama-cpp: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
CVE-2026-33244 llama-cpp: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33244 react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
bugzilla·2026-06-02·CVSS 5.4
CVE-2026-33244 [MEDIUM] CVE-2026-33244 react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
CVE-2026-33244 react-router: React Router: Cross-Site Scripting (XSS) via improper HTTP Location header neutralization
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in version 7.13.2.
Discussion:
As FreeIPA goes, we can safely waive this one, as we use Declarative mode, which is not affected
2026-06-02
Published