CVE-2026-21884

HIGH EPSS 28.4%

Published Jan 10, 20265mo ago · Modified Jun 17, 20261w ago

8.2 CVSS 3.1

High

Published Jan 10, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.

CVSS Details

Base Score

8.2

Exploitability

2.8

Impact

4.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality High

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

28.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

Vendor	Product	Version	Range
shopify	react-router	*	≥7.0.0 – ≤7.11.0
shopify	remix-run\/react	*	<2.17.3

References 1

github.com https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.