React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React R…

CVE-2026-21884 is a cross-site scripting (XSS) vulnerability in React Router's ScrollRestoration API. The vulnerability affects @remix-run/react versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. The issue occurs in Framework Mode during Server-Side Rendering when using getKey/storageKey props with untrusted content. This could allow arbitrary JavaScript execution during SSR. The vulnerability does not impact users with disabled server-side rendering in Framework Mode or those using Declarative Mode or Data Mode. Patches are available in @remix-run/react version 2.17.3 and react-router version 7.12.0.