VYPR

React Router

by Remix Run

Source repositories

CVEs (16)

  • CVE-2026-42342HigJun 2, 2026
    risk 0.49cvss 7.5epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint,…

  • CVE-2026-42211HigJun 2, 2026
    risk 0.46cvss 8.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing…

  • CVE-2025-43865HigApr 25, 2025
    risk 0.46cvss 8.2epss 0.01

    React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the…

  • CVE-2026-33245HigJun 2, 2026
    risk 0.45cvss 8.0epss 0.00

    React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted…

  • CVE-2026-22029HigJan 10, 2026
    risk 0.45cvss 8.0epss 0.01

    React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can…

  • CVE-2025-43864HigApr 25, 2025
    risk 0.44cvss 7.5epss 0.24

    React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that…

  • CVE-2026-34077HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted…

  • CVE-2025-31137HigApr 1, 2025
    risk 0.42cvss 7.5epss 0.01

    React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the…

  • CVE-2026-40181MedJun 2, 2026
    risk 0.33cvss 6.1epss 0.00

    React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The…

  • CVE-2026-33244MedJun 2, 2026
    risk 0.28cvss 5.4epss 0.00

    React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect…

  • CVE-2026-53663lowJun 15, 2026
    risk 0.00cvss epss 0.00

    Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the…

  • CVE-2026-22030Jan 10, 2026
    risk 0.00cvss epss 0.00

    React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in…

  • CVE-2026-21884Jan 10, 2026
    risk 0.00cvss epss 0.00

    React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering…

  • CVE-2025-61686Jan 10, 2026
    risk 0.00cvss epss 0.16

    React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno…

  • CVE-2025-59057Jan 10, 2026
    risk 0.00cvss epss 0.00

    React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow…

  • CVE-2025-68470Jan 10, 2026
    risk 0.00cvss epss 0.00

    React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an…