CVE-2026-42211
Description
React Router v7 (Framework Mode) allows RCE via prototype pollution, affecting versions 7.0.0-7.14.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
React Router v7 (Framework Mode) allows RCE via prototype pollution, affecting versions 7.0.0-7.14.1.
Vulnerability
React Router versions 7.0.0 through 7.14.1 are vulnerable when using Framework Mode. This vulnerability requires an existing prototype pollution vulnerability within the application code to be exploitable. Applications using Declarative Mode (`) or Data Mode (createBrowserRouter/`) are not affected [1].
Exploitation
An attacker can exploit this vulnerability by chaining a two-step attack onto an existing prototype pollution vulnerability. The second step of this attack can trigger unauthorized remote code execution on the remote server. This requires the application to already be vulnerable to prototype pollution [1].
Impact
Successful exploitation allows an attacker to achieve unauthorized remote code execution (RCE) on the remote server. The scope of the compromise is the remote server itself [1].
Mitigation
This vulnerability is patched in version 7.14.2. Users are advised to update to this version or later. Applications using Framework Mode are affected, while those using Declarative Mode or Data Mode are not [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <7.14.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.