CVE-2026-33245
published 2026-06-02CVE-2026-33245: React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a…
PriorityP423medium4.7CVSS 3.1
AVNACHPRNUIRSCCLILAN
EPSS
0.19%
8.6th percentile
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Affected
91 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| ansible-on-clouds | aoc-azure-aap-installer-rhel9 | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| clusterlabs | pcs | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| exploit-intelligence-tech-preview | agent-client-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |
| migration-toolkit-virtualization | mtv-console-plugin-rhel9 | — | — |
| mozilla | thunderbird | — | — |
| mta | mta-ui-rhel8 | — | — |
| mta | mta-ui-rhel9 | — | — |
| mtv-candidate | mtv-console-plugin-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| network-observability | network-observability-console-plugin-compat-rhel9 | — | — |
| network-observability | network-observability-console-plugin-rhel9 | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
vendor_redhat4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
remix-run react-router up to 7.13.1 cross site scripting (GHSA-8646-j5j9-6r62)
vuldb·2026-06-03·CVSS 8.0
CVE-2026-33245 [HIGH] remix-run react-router up to 7.13.1 cross site scripting (GHSA-8646-j5j9-6r62)
A vulnerability was found in remix-run react-router up to 7.13.1 and classified as problematic. The impacted element is an unknown function. Such manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2026-33245. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
ghsa·2026-06-03
CVE-2026-33245 [HIGH] CWE-79 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources
> [!NOTE]
> This only impacts your application if you are using the unstable RSC APIs in React Router.
Red Hat
react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects
vendor_redhat·2026-06-02·CVSS 4.7
CVE-2026-33245 [MEDIUM] CWE-79 react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects
react-router: React Router: Cross-Site Scripting vulnerability via untrusted React Server Component redirects
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
A flaw was found in React Router. This vulnerability, a type of Cross-Site Scripting (XSS), affects applications utilizing React Router's unstable React Server Components (RSC) APIs. A remote attacker could exploit this by sending untrusted redirects, leading to the executio
No detection rules found.
No public exploits indexed.
2026-06-02
Published