What is the CVSS score of CVE-2026-22030?

CVE-2026-22030 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of React are affected by CVE-2026-22030?

Organizations using React Router should be aware of notable risk from CVE-2026-22030 rated CVSS 6.5. Exploitation could compromise the security of affected deployments.. A patch is available.

React CVE-2026-22030

MEDIUM

Origin Validation Error (CWE-346)

2026-01-10 security-advisories@github.com

GHSA-h5cw-625j-3rxh

CSRF React Red Hat React Router Suse

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 10, 2026 - 03:15 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

11 npm packages depend on @remix-run/server-runtime (5 direct, 6 indirect)
6 npm packages depend on react-router (3 direct, 3 indirect)

Ecosystem-wide dependent count for version 2.17.3 and other introduced versions.

DescriptionNVD

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.

AnalysisAI

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory