Is there a public PoC exploit available for CVE-2026-40181?

Yes, a public proof-of-concept exploit is available for CVE-2026-40181. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-40181?

Yes, a patch is available for CVE-2026-40181. Update the affected software to the latest version immediately.

React Router CVE-2026-40181

Q: What is the CVSS score of CVE-2026-40181?

CVE-2026-40181 has a CVSS 4.0 base score of 6.6 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

Q: Which versions of React Router are affected by CVE-2026-40181?

Open redirect in React Router's programmatic `redirect()` function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with…. A patch is available.

EUVD-2026-33996 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-06-02 GitHub_M

GHSA-2j2x-hqr9-3h42

Open Redirect

6.6

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.6 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

4.3 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 02, 2026 - 21:02 EUVD

Analysis Generated

Jun 02, 2026 - 20:30 vuln.today

CVSS changed

Jun 02, 2026 - 20:22 NVD

6.6 (MEDIUM)

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 npm packages depend on react-router (3 direct, 3 indirect)

Ecosystem-wide dependent count for version 7.0.0.

DescriptionGitHub Advisory

React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.

AnalysisAI

Open redirect in React Router's programmatic redirect() function allows unauthenticated remote attackers to redirect users to arbitrary external domains by supplying path values beginning with //, which browsers interpret as protocol-relative (scheme-relative) URLs. Affected are applications in the v7 series (7.0.0-7.14.0) and v6 series (6.7.0-6.30.3) that expose user-influenced input to redirect() without validating the path prefix. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify application endpoint passing user-supplied path to redirect()

Delivery

Craft URL with //-prefixed attacker domain as path value

Exploit

Deliver crafted URL to victim via phishing or link injection

Execution

Victim follows URL; React Router issues 3xx redirect response

Persist

Browser resolves // as protocol-relative URL using current scheme

Impact

Victim navigates to attacker-controlled domain

Access

Identify application endpoint passing user-supplied path to redirect()

Delivery

Craft URL with //-prefixed attacker domain as path value

Exploit

Deliver crafted URL to victim via phishing or link injection

Execution

Victim follows URL; React Router issues 3xx redirect response

Persist

Browser resolves // as protocol-relative URL using current scheme

Impact

Victim navigates to attacker-controlled domain

Vulnerability AssessmentAI

Exploitation	Exploitation requires two concurrent conditions: (1) the application must use React Router's programmatic `redirect()` function rather than Declarative Mode (`<BrowserRouter>` and JSX routes), and (2) attacker-influenced input must reach the `redirect()` call without prior validation that rejects path values beginning with `//`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 base score of 6.6 (Medium) reflects network reachability (AV:N), low attack complexity (AC:L), no additional attack requirements (AT:N), no privileges required (PR:N), and high integrity impact on the vulnerable system (VI:H), with zero confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a React Router application that accepts a user-controlled `next` or `redirect_to` query parameter and passes it to `redirect()` without sanitization - a common pattern in login and OAuth flows. The attacker distributes a crafted URL such as `https://app.example.com/login?next=//evil.com/fake-login`, which the server processes by calling `redirect('//evil.com/fake-login')`; the browser receives the 3xx response and, interpreting `//evil.com` as `https://evil.com`, silently navigates the victim to a phishing page that mirrors the application's login UI. …
Remediation	Vendor-released patches are available: upgrade to React Router 7.14.1 for v7 installations or 6.30.4 for v6 installations - these are the confirmed fix versions per the GitHub Security Advisory GHSA-2j2x-hqr9-3h42. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-45566 MEDIUM This Month

6.1 Jun 10

Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month

5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
SUSE Linux Enterprise Module for Package Hub 15 SP7	Fixed
SUSE Linux Enterprise Module for SAP Applications 15 SP7	Fixed
SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7	Fixed
SUSE Linux Enterprise Server for SAP applications 16.0	Fixed

CVE-2026-40181 vulnerability details – vuln.today

Back

React Router CVE-2026-40181

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code