VYPR
High severity8.1NVD Advisory· Published Jun 2, 2026· Updated Jun 4, 2026

CVE-2026-42211

CVE-2026-42211

Description

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`) or Data Mode (createBrowserRouter/`). This is patched in version 7.14.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
react-routernpm
>= 7.0.0, < 7.14.27.14.2

Affected products

5

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.