cbcvebase.

Shopify Remix-Run React vulnerabilities

4 known vulnerabilities affecting shopify/remix-run_react.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2026-21884P3HIGHCVSS 8.2fixed in 2.17.32026-01-10
CVE-2026-21884 [HIGH] CWE-79 CVE-2026-21884: React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7. React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to gene
nvd
CVE-2025-59057P3HIGHCVSS 7.6≥ 1.15.0, ≤ 2.17.02026-01-10
CVE-2025-59057 [HIGH] CWE-79 CVE-2025-59057: React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-ro React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the
nvd
CVE-2026-22030P4MEDIUMCVSS 6.5fixed in 2.17.32026-01-10
CVE-2026-22030 [MEDIUM] CWE-346 CVE-2026-22030: React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react- React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC mod
nvd
CVE-2026-22029P4MEDIUMCVSS 6.1fixed in 1.23.22026-01-10
CVE-2026-22029 [MEDIUM] CWE-79 CVE-2026-22029: React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7. React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client
nvd