CVE-2026-22030

MEDIUM EPSS 2.8%
Published Jan 10, 20265mo ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jan 10, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
2.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-346
CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 2

VendorProductVersionRange
shopifyreact-router*≥7.0.0  –  ≤7.11.0
shopifyremix-run\/react* <2.17.3

References 1

  • github.com https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.