CVE-2026-21884 React Router SSR XSS in ScrollRestoration

React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript...

@buttery/tokens (>=0.1.2 <=0.1.10), @common-stack/frontend-stack-react (>=6.0.6-alpha.23 <=9.0.4-alpha.2) +6 more potentially affected by CVE-2026-21884 via @remix-run/react (>=2.0.0-pre.0 <=2.17.2)

@remix-run/react NPM version =2.0.0-pre.0, =0.1.2, =6.0.6-alpha.23, =0.1.0, =5.6.0, =0.1.36, =2.0.0, =3.0.0, =0.9.84, =0.11.29 Source cves: CVE-2026-21884 Source advisory: SNYK:JS-REMIXRUNREACT-14908292...

@b42inc/remix-i18n (=0.0.1), @briandlee/remix-return-navigation (>=1.0.0 <=1.1.0-dev0) +70 more potentially affected by CVE-2025-59057 via @remix-run/react (>=1.15.0 <=2.17.0)

@remix-run/react NPM version =1.15.0, =1.0.0, =0.1.2, =1.0.0, =6.0.6-alpha.23, =0.0.2-alpha.0, =0.0.1, =0.0.1, =0.1.0, =1.0.0, =0.0.22, =0.0.6, =0.0.1, =5.6.0, =5.28.0 and more Source cves: CVE-2025-59057 Source advisory: SNYK:JS-REMIXRUNREACT-14908290...

@b42inc/remix-i18n (=0.0.1), @briandlee/remix-return-navigation (>=1.0.0 <=1.1.0-dev0) +70 more potentially affected by CVE-2025-59057 via @remix-run/react (>=1.15.0 <=2.17.0)

@remix-run/react NPM version =1.15.0, =1.0.0, =0.1.2, =1.0.0, =6.0.6-alpha.23, =0.0.2-alpha.0, =0.0.1, =0.0.1, =0.1.0, =1.0.0, =0.0.22, =0.0.6, =0.0.1, =5.6.0, =5.28.0 and more Source cves: CVE-2025-59057 Source advisory: OSV:GHSA-3CGP-3XVW-98X8...