CVE-2026-21884
Last modified
CVE-2026-21884 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. React Router is a router for React. In @remix-run/react version prior to 2.17.3. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Shopify | React-Router | >= 7.0.0, <= 7.11.0 |
| Shopify | Remix-Run\/React | < 2.17.3 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-21884?
How severe is CVE-2026-21884?
How do I fix CVE-2026-21884?
Are you affected by CVE-2026-21884?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST