4876 matches found
React Router vulnerable to XSS via Open Redirects
React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths...
@accounter/client (>=0.0.3 <=0.0.9-alpha-20260108115520-32a9af5faa8ef0a01fc31a81c85715be41f0f63f), @asamanvay/auth-service (>=0.0.2 <=0.0.4) +74 more potentially affected by CVE-2026-22029 via react-router (>=7.0.0 <=7.12.0-pre.0)
react-router NPM version =7.0.0, =0.0.3, =0.0.2, =1.1.0, =0.1.9, =2.0.1-alpha, =0.0.5, =1.8.1, =1.5.0, =16.0.12, =0.1.0, =12.81.0, =8.0.254, =12.72.0, =12.86.0 and more Source cves: CVE-2026-22029 Source advisory: OSV:GHSA-2W69-QVJG-HVJX...
GHSA-2W69-QVJG-HVJX React Router vulnerable to XSS via Open Redirects
React Router and Remix v1/v2 SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths...
@accounter/client (>=0.0.3 <=0.0.9-alpha-20260108115520-32a9af5faa8ef0a01fc31a81c85715be41f0f63f), @asamanvay/auth-service (>=0.0.2 <=0.0.4) +74 more potentially affected by CVE-2026-21884 via react-router (>=7.0.0 <=7.12.0-pre.0)
react-router NPM version =7.0.0, =0.0.3, =0.0.2, =1.1.0, =0.1.9, =2.0.1-alpha, =0.0.5, =1.8.1, =1.5.0, =16.0.12, =0.1.0, =12.81.0, =8.0.254, =12.72.0, =12.86.0 and more Source cves: CVE-2026-21884 Source advisory: SNYK:JS-REACTROUTER-14908293...
@accounter/client (>=0.0.3 <=0.0.9-alpha-20260108115520-32a9af5faa8ef0a01fc31a81c85715be41f0f63f), @asamanvay/auth-service (>=0.0.2 <=0.0.4) +74 more potentially affected by CVE-2026-21884 via react-router (>=7.0.0 <=7.12.0-pre.0)
react-router NPM version =7.0.0, =0.0.3, =0.0.2, =1.1.0, =0.1.9, =2.0.1-alpha, =0.0.5, =1.8.1, =1.5.0, =16.0.12, =0.1.0, =12.81.0, =8.0.254, =12.72.0, =12.86.0 and more Source cves: CVE-2026-21884 Source advisory: OSV:GHSA-8V8X-CX79-35W7...
@buttery/tokens (>=0.1.2 <=0.1.10), @common-stack/frontend-stack-react (>=6.0.6-alpha.23 <=9.0.2-alpha.7) +6 more potentially affected by CVE-2026-21884 via @remix-run/react (>=2.0.0-pre.0 <=2.17.2)
@remix-run/react NPM version =2.0.0-pre.0, =0.1.2, =6.0.6-alpha.23, =0.1.0, =5.6.0, =0.1.36, =2.0.0, =3.0.0, =0.9.84, =0.11.29 Source cves: CVE-2026-21884 Source advisory: SNYK:JS-REMIXRUNREACT-14908292...
GHSA-8V8X-CX79-35W7 React Router SSR XSS in ScrollRestoration
A XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. !NOTE This does not impact applications if...
React Router SSR XSS in ScrollRestoration
A XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. !NOTE This does not impact applications if...
@b42inc/remix-i18n (=0.0.1), @briandlee/remix-return-navigation (>=1.0.0 <=1.1.0-dev0) +72 more potentially affected by CVE-2026-21884 via @remix-run/react (>=0.0.0-experimental-a7ab46039 <=2.17.2)
@remix-run/react NPM version =0.0.0-experimental-a7ab46039, =1.0.0, =0.1.2, =1.0.0, =6.0.6-alpha.23, =0.0.2-alpha.0, =0.0.1, =0.0.1, =0.1.0, =1.0.0, =0.0.22, =0.0.6, =0.1.0, =0.0.1, =5.0.4 and more Source cves: CVE-2026-21884 Source advisory: OSV:GHSA-8V8X-CX79-35W7...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the resolvePath function when used with navigate, , or redirect. An attacker can cause the application to redirect users to external, potentially malicious URLs by supplying crafted paths. Note: This is only exploitabl...
GHSA-9JCX-V3WJ-WH4M React Router has unexpected external redirect via untrusted paths
An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate, , or redirect, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code...
@1023-ventures/merope2 (>=0.2.1 <=0.2.9), @1023-ventures/vega-core (>=0.5.0 <=0.6.2) +1105 more potentially affected by CVE-2025-68470 via react-router (>=6.0.0 <=6.30.2-pre-v6.0)
react-router NPM version =6.0.0, =0.2.1, =0.5.0, =0.0.1, =0.0.1, =3.0.0, =1.0.0, =1.0.0, =1.0.0, =2.7.0, =0.0.1, =0.1.0, =0.0.0, =23.1.12, =5.0.0, =6.1.12 and more Source cves: CVE-2025-68470 Source advisory: SNYK:JS-REACTROUTER-14908286...
React Router has unexpected external redirect via untrusted paths
An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate, , or redirect, the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code...
org.webjars.npm:react-router-dom (>=6.0.0-beta.8 <=6.30.0) potentially affected by CVE-2025-68470 via org.webjars.npm:react-router (>=6.0.0-beta.8 <=6.30.0)
org.webjars.npm:react-router MAVEN version =6.0.0-beta.8, =6.0.0-beta.8, =6.30.0 Source cves: CVE-2025-68470 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-14908288...
10xanswers (>=1.1.0 <=1.1.16), 31g-form-parser (=1.0.107) +3216 more potentially affected by CVE-2025-68470 via react-router (>=7.0.0 <=7.9.6-pre.1)
react-router NPM version =7.0.0, =1.1.0, =1.0.0, =0.0.6, =0.0.1, =0.1.0, =3.1.0-beta.1, =1.0.0, =0.0.2, =3.1.61, =3.2.206 and more Source cves: CVE-2025-68470 Source advisory: OSV:GHSA-9JCX-V3WJ-WH4M...
10xanswers (>=1.1.0 <=1.1.16), 31g-form-parser (=1.0.107) +3216 more potentially affected by CVE-2025-68470 via react-router (>=7.0.0 <=7.9.6-pre.1)
react-router NPM version =7.0.0, =1.1.0, =1.0.0, =0.0.6, =0.0.1, =0.1.0, =3.1.0-beta.1, =1.0.0, =0.0.2, =3.1.61, =3.2.206 and more Source cves: CVE-2025-68470 Source advisory: SNYK:JS-REACTROUTER-14908286...
@1023-ventures/merope2 (>=0.2.1 <=0.2.9), @1023-ventures/vega-core (>=0.5.0 <=0.6.2) +1105 more potentially affected by CVE-2025-68470 via react-router (>=6.0.0 <=6.30.2-pre-v6.0)
react-router NPM version =6.0.0, =0.2.1, =0.5.0, =0.0.1, =0.0.1, =3.0.0, =1.0.0, =1.0.0, =1.0.0, =2.7.0, =0.0.1, =0.1.0, =0.0.0, =23.1.12, =5.0.0, =6.1.12 and more Source cves: CVE-2025-68470 Source advisory: OSV:GHSA-9JCX-V3WJ-WH4M...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via the resolvePath function when used with navigate, , or redirect. An attacker can cause the application to redirect users to external, potentially malicious URLs by supplying crafted paths. Note: This is only exploitabl...
GHSA-9583-H5HC-X8CW React Router has Path Traversal in File Session Storage
If applications use createFileSessionStorage from @react-router/node or @remix-run/node/@remix-run/deno in Remix v2 with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the...
@agent-native/core (>=0.4.2 <=0.14.6), @akrc/fnpm (=1.13.1) +111 more potentially affected by CVE-2025-61686 via @react-router/node (>=7.0.0 <=7.9.4-pre.0)
@react-router/node NPM version =7.0.0, =0.4.2, =0.2.3, =7.8.3-alpha.1, =0.9.1, =0.7.1, =0.1.0, =0.1.0, =0.0.1-dev.8, =0.0.1-0, =0.0.1-alpha.6, =3.8.8, =0.3.1, =0.0.13, =0.0.53 and more Source cves: CVE-2025-61686 Source advisory: OSV:GHSA-9583-H5HC-X8CW...