VYPR

React Router

by Shopify

Source repositories

CVEs (5)

  • CVE-2026-42342HigJun 2, 2026
    risk 0.49cvss 7.5epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint,…

  • CVE-2026-42211HigJun 2, 2026
    risk 0.46cvss 8.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing…

  • CVE-2026-22029HigJan 10, 2026
    risk 0.45cvss 8.0epss 0.01

    React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can…

  • CVE-2026-34077HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted…

  • CVE-2026-40181MedJun 2, 2026
    risk 0.33cvss 6.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The…