Skip to main content

React Router EUVDEUVD-2026-33986

| CVE-2026-33244 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 GitHub_M GHSA-f22v-gfqf-p8f3
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 19:01 EUVD
Analysis Generated
Jun 02, 2026 - 17:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 npm packages depend on react-router (7 direct, 8 indirect)

Ecosystem-wide dependent count for version 7.5.1.

DescriptionGitHub Advisory

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This is patched in version 7.13.2.

AnalysisAI

Cross-site scripting in React Router's Framework Mode (versions 7.5.1-7.13.1) allows an authenticated attacker with influence over redirect destinations to inject malicious content into statically pre-rendered HTML files via an unsanitized HTTP Location header. Exploitation requires both low-privilege authentication (confirmed by CVSS PR:L) and victim user interaction (UI:R), limiting mass exploitation. No public exploit has been identified at time of analysis, and CISA KEV status is not confirmed. A vendor-released patch exists in version 7.13.2.

Technical ContextAI

React Router (CPE: cpe:2.3:a:remix-run:react-router:*:*:*:*:*:*:*:*) is a widely-adopted routing library for React applications maintained by the remix-run organization. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS): during static pre-rendering in Framework Mode, the library processes server-side redirect responses and writes the HTTP Location header value directly into generated static HTML files without adequate sanitization or encoding. If the redirect destination is supplied by or influenced by an untrusted source, attacker-controlled content enters the HTML output unescaped. This code path is exclusive to Framework Mode with pre-rendering enabled; the Declarative Mode (BrowserRouter) and Data Mode (createBrowserRouter/RouterProvider) do not perform static HTML generation and are explicitly not affected. The CVSS S:C (Changed Scope) component reflects that the injected script executes in the victim's browser context, outside the application's own origin boundary.

RemediationAI

Vendor-released patch: React Router 7.13.2. Teams should upgrade immediately by updating their package dependency - e.g., running npm install react-router@7.13.2 or the equivalent for their package manager. The authoritative advisory is at https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3. If an immediate upgrade is not feasible, a targeted workaround is to disable pre-rendering in Framework Mode, which eliminates the vulnerable static HTML generation path at the cost of losing static-site generation performance benefits - pages would then be rendered dynamically at request time. A second compensating control is to validate and sanitize all redirect Location header values at the application layer before they are returned in server responses, ensuring only allowlisted URLs or properly encoded destinations are used. Neither workaround is a substitute for patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

EUVD-2026-33986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy