cbcvebase.
CVE-2026-40181
published 2026-06-02

CVE-2026-40181: React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open…

PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.8th percentile
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (). This is patched in versions 7.14.1 and 6.30.4.

Affected

96 ranges· showing 25
VendorProductVersion rangeFixed in
advanced-cluster-securityrhacs-main-rhel8
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platformautomation-portal
ansible-on-cloudsaoc-azure-aap-installer-rhel9
apicurioapicurio-registry-ui-rhel8
apicurioapicurio-registry-ui-rhel9
clusterlabspcs
container-native-virtualizationkubevirt-console-plugin
container-native-virtualizationkubevirt-console-plugin-rhel9
devspacesdashboard-rhel9
devspacesopenvsx-rhel9
discoverydiscovery-ui-rhel9
exploit-intelligence-tech-previewagent-client-rhel9
gatekeepergatekeeper-rhel9
grafanagrafana
migration-toolkit-virtualizationmtv-console-plugin-rhel9
mozillathunderbird
mtamta-ui-rhel8
mtamta-ui-rhel9
mtv-candidatemtv-console-plugin-rhel9
multicluster-engineconsole-mce-rhel9
network-observabilitynetwork-observability-console-plugin-compat-rhel9
network-observabilitynetwork-observability-console-plugin-rhel9
odf4ocs-client-console-rhel9

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.6MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.