React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React R…
Published:
9 January 2026 at 23:00:00
Alert date:
10 January 2026 at 13:10:58
Source:
nvd.nist.gov
CVE-2026-21884 is a cross-site scripting (XSS) vulnerability in React Router's ScrollRestoration API. The vulnerability affects @remix-run/react versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. The issue occurs in Framework Mode during Server-Side Rendering when using getKey/storageKey props with untrusted content. This could allow arbitrary JavaScript execution during SSR. The vulnerability does not impact users with disabled server-side rendering in Framework Mode or those using Declarative Mode or Data Mode. Patches are available in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Technical details
Mitigation steps:
Affected products:
React Router
@remix-run/react
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-21884
https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.