CVE-2026-33244

A flaw was found in react-router. When using Framework Mode with pre-rendering enabled, an attacker can exploit improper handling of the HTTP Location header value. This can lead to Cross-Site Scripting XSS, allowing malicious scripts to be injected into statically generated HTML files if the...

CVE-2026-40181

A flaw was found in React Router. This vulnerability allows a remote attacker to redirect users to an external, potentially malicious, website. This occurs when specially crafted URLs, containing paths starting with //, are passed to the redirect function, causing them to be misinterpreted as...

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to insufficient CSRF checks for PUT, PATCH, and DELETE document requests. An attacker can cause unauthorized state changes by tricking a user into submitting crafted requests from another origin. Note...

GHSA-84G9-W2XQ-VCV6 React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS : Qt Declarative vulnerability (USN-8357-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8357-1 advisory. It was discovered that Qt Declarative did not properly validate the width and height attributes of image tags in the Text component of Qt...

RHEL 10 : qt6-qtdeclarative (RHSA-2026:24987)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:24987 advisory. Qt6 - QtDeclarative component. Security Fixes: qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file CVE-2025-14576 For more...

RHSA-2026:24987 Red Hat Security Advisory: qt6-qtdeclarative security update

Bulletin has no description...

Important: Red Hat Security Advisory: qt6-qtdeclarative security update

An update for qt6-qtdeclarative is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

GHSA-RXV8-25V2-QMQ8 React Router vulnerable to Denial of Service via reflected user input in single-fetch

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0...

qt6-qtdeclarative security update

An update is available for qt6-qtdeclarative. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Qt6 - QtDeclarative component. Security Fixes: qt: Qt SVG: Arbitra...

RLSA-2026:20567 Important: qt6-qtdeclarative security update

Qt6 - QtDeclarative component. Security Fixes: qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file CVE-2025-14576 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in...

RockyLinux 10 : qt6-qtdeclarative (RLSA-2026:20567)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:20567 advisory. qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file CVE-2025-14576 Tenable has extracted the preceding description block directly from th...

GHSA-8X6R-G9MW-2R78 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

EUVD-2026-33996

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation...

GHSA-2J2X-HQR9-3H42 React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect. !NOTE This does not impact your React Router application if you are using Declarative Mode...

SUSE CVE-2026-33244

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in the statically generated HTML files if the redirect location comes from an...

PT-2026-46089

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...