cbcvebase.
CVE-2026-42342
published 2026-06-02

CVE-2026-42342: React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.30%
21.5th percentile
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.

Affected

84 ranges· showing 25
VendorProductVersion rangeFixed in
advanced-cluster-securityrhacs-main-rhel8
ansible-automation-platform-26gateway-rhel9
ansible-automation-platform-27gateway-rhel9
ansible-automation-platformautomation-portal
ansible-on-cloudsaoc-azure-aap-installer-rhel9
apicurioapicurio-registry-ui-rhel8
apicurioapicurio-registry-ui-rhel9
clusterlabspcs
container-native-virtualizationkubevirt-console-plugin
devspacesdashboard-rhel9
devspacesopenvsx-rhel9
discoverydiscovery-ui-rhel9
exploit-intelligence-tech-previewagent-client-rhel9
gatekeepergatekeeper-rhel9
grafanagrafana
migration-toolkit-virtualizationmtv-console-plugin-rhel9
mozillathunderbird
mtamta-ui-rhel8
mtamta-ui-rhel9
mtv-candidatemtv-console-plugin-rhel9
multicluster-engineconsole-mce-rhel9
network-observabilitynetwork-observability-console-plugin-compat-rhel9
network-observabilitynetwork-observability-console-plugin-rhel9
odf4ocs-client-console-rhel9
odf4odf-console-rhel9

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.