cbcvebase.
CVE-2026-33244
published 2026-06-02

CVE-2026-33244: React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP…

PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
4.1th percentile
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in version 7.13.2.

Affected

93 ranges· showing 25
VendorProductVersion rangeFixed in
advanced-cluster-securityrhacs-main-rhel8
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platformautomation-portal
ansible-on-cloudsaoc-azure-aap-installer-rhel9
apicurioapicurio-registry-ui-rhel8
apicurioapicurio-registry-ui-rhel9
clusterlabspcs
container-native-virtualizationkubevirt-console-plugin
container-native-virtualizationkubevirt-console-plugin-rhel9
devspacesdashboard-rhel9
devspacesopenvsx-rhel9
discoverydiscovery-ui-rhel9
exploit-intelligence-tech-previewagent-client-rhel9
gatekeepergatekeeper-rhel9
grafanagrafana
migration-toolkit-virtualizationmtv-console-plugin-rhel9
mozillathunderbird
mtamta-ui-rhel8
mtamta-ui-rhel9
mtv-candidatemtv-console-plugin-rhel9
multicluster-engineconsole-mce-rhel9
network-observabilitynetwork-observability-console-plugin-compat-rhel9
network-observabilitynetwork-observability-console-plugin-rhel9
odf4ocs-client-console-rhel9

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.