CVE-2026-33245 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components RSC APIs, there is a potential client-side Cross-Site Scripting XSS vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.19.32 security and extras update

Red Hat OpenShift Container Platform release 4.19.32 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.19. Red Hat Product Security has rated this update as having a security impact of...

Security Bulletin: Vulnerabilities in lodash, qs might affect IBM Storage Defender Sentinel Anomaly Scan Engine.

Summary IBM Storage Defender Sentinel Anomaly Scan Engine can be affected by vulnerabilities in lodash, qs, and react-router. Vulnerabilities include allowing an attacker to cause improper modification of object attributes, open redirect, and denial of service. More details are described by the...

PT-2026-1914

Name of the Vulnerable Software and Affected Versions React Router versions 6.0.0 through 6.30.1 React Router versions 7.0.0 through 7.9.5 Description A crafted path supplied by an attacker can cause a React Router application to navigate or redirect to an external URL when using navigate, , or...

react-router 跨站脚本漏洞

react-router is a Remix open source declarative routing for React. A cross-site scripting vulnerability exists in react-router versions 7.0.0 through 7.8.2, which stems from a cross-site scripting vulnerability when generating script:ld+json tags in framework mode, which could lead to the executi...

@accounter/client (>=0.0.3 <=0.0.9-alpha-20260108115520-32a9af5faa8ef0a01fc31a81c85715be41f0f63f), @asamanvay/auth-service (>=0.0.2 <=0.0.4) +74 more potentially affected by CVE-2026-22030 via react-router (>=7.0.0 <=7.12.0-pre.0)

react-router NPM version =7.0.0, =0.0.3, =0.0.2, =1.1.0, =0.1.9, =2.0.1-alpha, =0.0.5, =1.8.1, =1.5.0, =16.0.12, =0.1.0, =12.81.0, =8.0.254, =12.72.0, =12.86.0 and more Source cves: CVE-2026-22030 Source advisory: SNYK:JS-REACTROUTER-14908429...

@accounter/client (>=0.0.3 <=0.0.9-alpha-20260108115520-32a9af5faa8ef0a01fc31a81c85715be41f0f63f), @asamanvay/auth-service (>=0.0.2 <=0.0.4) +74 more potentially affected by CVE-2026-22029 via react-router (>=7.0.0 <=7.12.0-pre.0)

react-router NPM version =7.0.0, =0.0.3, =0.0.2, =1.1.0, =0.1.9, =2.0.1-alpha, =0.0.5, =1.8.1, =1.5.0, =16.0.12, =0.1.0, =12.81.0, =8.0.254, =12.72.0, =12.86.0 and more Source cves: CVE-2026-22029 Source advisory: SNYK:JS-REACTROUTER-14908531...

@accounter/client (>=0.0.3 <=0.0.9-alpha-20260108115520-32a9af5faa8ef0a01fc31a81c85715be41f0f63f), @asamanvay/auth-service (>=0.0.2 <=0.0.4) +74 more potentially affected by CVE-2026-21884 via react-router (>=7.0.0 <=7.12.0-pre.0)

react-router NPM version =7.0.0, =0.0.3, =0.0.2, =1.1.0, =0.1.9, =2.0.1-alpha, =0.0.5, =1.8.1, =1.5.0, =16.0.12, =0.1.0, =12.81.0, =8.0.254, =12.72.0, =12.86.0 and more Source cves: CVE-2026-21884 Source advisory: OSV:GHSA-8V8X-CX79-35W7...

10xanswers (>=1.1.0 <=1.1.16), 31g-form-parser (=1.0.107) +3216 more potentially affected by CVE-2025-68470 via react-router (>=7.0.0 <=7.9.6-pre.1)

react-router NPM version =7.0.0, =1.1.0, =1.0.0, =0.0.6, =0.0.1, =0.1.0, =3.1.0-beta.1, =1.0.0, =0.0.2, =3.1.61, =3.2.206 and more Source cves: CVE-2025-68470 Source advisory: OSV:GHSA-9JCX-V3WJ-WH4M...

Insufficient Verification Of Data Authenticity

react-router is vulnerable to data spoofing. The vulnerability is due to improper request validation allows the ability to manipulate pre-rendered data via custom headers, allowing full modification of the data object embedded in HTML...

Cache Poisoning

react-router is vulnerable to Cache Poisoning. The vulnerability is due to improper request handling due to allowing header-based switching from SSR to SPA mode, which can trigger an error response that is then cached, affecting application availability...

CVE-2025-43865 React Router allows pre-render data spoofing on React-Router framework mode

React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. This issue has bee...

CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode

React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...

react-router 安全漏洞

react-router is a declarative routing for React open-sourced by Remix. A security vulnerability exists in react-router versions prior to 7.2.0 through 7.5.2, which stems from potentially forcing an application to switch to SPA mode by adding a request header, which could lead to cache poisoning...

GHSA-F46R-RW29-R322 React Router allows a DoS via cache poisoning by forcing SPA mode

Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this...

PT-2025-17868

Name of the Vulnerable Software and Affected Versions React Router versions 7.0 through 7.5.1 Description The issue allows an attacker to modify pre-rendered data by adding a header to the request, potentially leading to various exploits, including stored XSS. This is possible due to a...

GHSA-4Q56-CRQP-V477 Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL...

CVE-2025-31137 Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an...