CVE-2026-53663
published 2026-06-22CVE-2026-53663: React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests…
PriorityP412low3.1CVSS 3.1
AVNACHPRNUIRSUCNILAN
EPSS
0.11%
1.3th percentile
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-on-clouds | aoc-azure-aap-installer-rhel9 | — | — |
| exploit-intelligence-tech-preview | agent-client-rhel9 | — | — |
| network-observability | network-observability-console-plugin-pf4-rhel9 | — | — |
| network-observability | network-observability-console-plugin-pf5-rhel9 | — | — |
| network-observability | network-observability-console-plugin-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift-pipelines | pipelines-hub-ui-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| openshift4 | ose-monitoring-plugin-rhel9 | — | — |
| quay | quay-rhel8 | — | — |
| quay | quay-rhel9 | — | — |
| remix-run | react-router | — | — |
| remix-run | react-router | — | — |
| remix-run | react-router | >= 7.12.0 < 7.15.1 | 7.15.1 |
| remix-run | server-runtime | — | — |
| remix-run | server-runtime | >= 2.17.3 < 2.17.5 | 2.17.5 |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-mlflow-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
| rhoai | odh-mod-arch-eval-hub-rhel9 | — | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
remix-run react-router/server-runtime up to 7.15.0 cross-site request forgery (EUVD-2026-38338)
vuldb·2026-06-22·CVSS 3.1
CVE-2026-53663 [LOW] remix-run react-router/server-runtime up to 7.15.0 cross-site request forgery (EUVD-2026-38338)
A vulnerability categorized as problematic has been discovered in remix-run react-router and server-runtime up to 7.15.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery.
This vulnerability is identified as CVE-2026-53663. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
React Router: Potential CSRF via PUT/PATCH/DELETE document requests
ghsa·2026-06-15
CVE-2026-53663 [LOW] CWE-352 React Router: Potential CSRF via PUT/PATCH/DELETE document requests
React Router: Potential CSRF via PUT/PATCH/DELETE document requests
Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.
> [!NOTE]
> This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#framework) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
Red Hat
react-router: @remix-run/server-runtime: React Router: Insufficient CSRF protection allows integrity impact
vendor_redhat·2026-06-22·CVSS 3.1
CVE-2026-53663 [LOW] CWE-352 react-router: @remix-run/server-runtime: React Router: Insufficient CSRF protection allows integrity impact
react-router: @remix-run/server-runtime: React Router: Insufficient CSRF protection allows integrity impact
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
A flaw was found in React Router. Insufficient Cross-Site Request Forgery (CSRF) checks in the framework mode allow a remote attacker to bypass these protections on PUT, PATCH, and DELETE requests. This could lead to a low integrity impact
No detection rules found.
No public exploits indexed.
2026-06-22
Published