cbcvebase.

Shopify React-Router vulnerabilities

11 known vulnerabilities affecting shopify/react-router.

Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM6

Vulnerabilities

Page 1 of 1
CVE-2026-42211P3HIGHCVSS 8.1≥ 7.0.0, < 7.14.22026-06-02
CVE-2026-42211 [HIGH] CWE-502 CVE-2026-42211: React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a c React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step atta
nvd
CVE-2026-42342P3HIGHCVSS 7.5≥ 7.0.0, < 7.15.02026-06-02
CVE-2026-42342 [HIGH] CWE-400 CVE-2026-42342: React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2. React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for en
nvd
CVE-2026-21884P3HIGHCVSS 8.2≥ 7.0.0, ≤ 7.11.02026-01-10
CVE-2026-21884 [HIGH] CWE-79 CVE-2026-21884: React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7. React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to gene
nvd
CVE-2025-59057P3HIGHCVSS 7.6≥ 7.0.0, ≤ 7.8.22026-01-10
CVE-2025-59057 [HIGH] CWE-79 CVE-2025-59057: React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-ro React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the
nvd
CVE-2026-34077P3HIGHCVSS 7.5≥ 7.0.0, < 7.14.02026-06-02
CVE-2026-34077 [HIGH] CWE-770 CVE-2026-34077: React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unst React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable R
nvd
CVE-2025-68470P3MEDIUMCVSS 6.5≥ 6.0.0, ≤ 6.30.1≥ 7.0.0, ≤ 7.9.52026-01-10
CVE-2025-68470 [MEDIUM] CWE-601 CVE-2025-68470: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an att React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navi
nvd
CVE-2026-22030P4MEDIUMCVSS 6.5≥ 7.0.0, ≤ 7.11.02026-01-10
CVE-2026-22030 [MEDIUM] CWE-346 CVE-2026-22030: React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react- React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC mod
nvd
CVE-2026-22029P4MEDIUMCVSS 6.1≥ 7.0.0, ≤ 7.11.02026-01-10
CVE-2026-22029 [MEDIUM] CWE-79 CVE-2026-22029: React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7. React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client
nvd
CVE-2026-40181P4MEDIUMCVSS 6.1≥ 6.7.0, < 6.30.4≥ 7.0.0, < 7.14.12026-06-02
CVE-2026-40181 [MEDIUM] CWE-601 CVE-2026-40181: React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certa React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior t
nvd
CVE-2026-33244P4MEDIUMCVSS 5.4≥ 7.5.1, < 7.13.22026-06-02
CVE-2026-33244 [MEDIUM] CWE-79 CVE-2026-33244: React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications
nvd
CVE-2026-33245P4MEDIUMCVSS 4.7≥ 7.7.0, < 7.13.22026-06-02
CVE-2026-33245 [MEDIUM] CWE-79 CVE-2026-33245: React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unst React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable
nvd
Shopify React-Router vulnerabilities | cvebase