189 matches found
CVE-2026-22029
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs...
CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router or Remix v2 is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when...
CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router or Remix v2 is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when...
CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router or Remix v2 is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when...
CVE-2026-22029
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs...
CVE-2026-22029 React Router vulnerable to XSS via Open Redirects
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs...
CVE-2026-22029
CVE-2026-22029 stems from React Router/Remix Router open redirects in framework-mode redirects. Affected: @remix-run/router <1.23.2 and react-router <7.12.0 (7.0.0–7.11.0). Impact: unsafe URLs and potentially unintended JavaScript execution on the client when redirects originate from loader...
CVE-2026-21884
CVE-2026-21884 is a Cross-Site Scripting (XSS) vulnerability in React Router SSR usage. Affected: @remix-run/react prior to 2.17.3 and react-router 7.0.0–7.11.0. Root cause: during Server-Side Rendering in Framework Mode, using getKey/storageKey with can allow arbitrary JavaScript execution if u...
CVE-2026-21884 React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript...
CVE-2026-21884 React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript...
CVE-2026-21884 React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript...
CVE-2025-61686 React Router has Path Traversal in File Session Storage
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage is being used from @react-router/node or @remix-run/node/@remix-run/deno in Remix v2 with an...
CVE-2025-61686 React Router has Path Traversal in File Session Storage
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage is being used from @react-router/node or @remix-run/node/@remix-run/deno in Remix v2 with an...
CVE-2025-61686 React Router has Path Traversal in File Session Storage
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage is being used from @react-router/node or @remix-run/node/@remix-run/deno in Remix v2 with an...
CVE-2025-59057 React Router has XSS Vulnerability
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution...
CVE-2025-59057 React Router has XSS Vulnerability
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution...
CVE-2025-59057 React Router has XSS Vulnerability
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution...
PT-2026-2138
Name of the Vulnerable Software and Affected Versions react-router versions 7.0.0 through 7.11.0 @remix-run/server-runtime versions prior to 2.17.3 Description React Router, used as a router for React applications, is susceptible to Cross-Site Request Forgery CSRF attacks. This affects document...
@buttery/tokens (>=0.1.2 <=0.1.10), @common-stack/frontend-stack-react (>=6.0.6-alpha.23 <=10.0.1-alpha.0) +26 more potentially affected by CVE-2026-22030 via @remix-run/server-runtime (>=2.0.0-pre.0 <=2.17.2)
@remix-run/server-runtime NPM version =2.0.0-pre.0, =0.1.2, =6.0.6-alpha.23, =6.0.6-alpha.28, =0.1.0, =5.6.0, =5.13.0, =5.6.0, =5.6.0, =0.1.36, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.17.2 and more Source cves: CVE-2026-22030 Source advisory: SNYK:JS-REMIXRUNSERVERRUNTIME-14908428...
Cross-site Request Forgery (CSRF)
Overview @remix-run/server-runtime is a Server runtime for Remix Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to the improper origin checks of UI route submissions in server-side route action handlers in Framework Mode. An attacker can execute unauthoriz...