CVE-2026-21884

Name of the Vulnerable Software and Affected Versions @remix-run/react versions prior to 2.17.3 react-router versions 7.0.0 through 7.11.0

Description React Router, a router for React, contains a cross-site scripting (XSS) issue within the <ScrollRestoration> API when operating in Framework Mode during Server-Side Rendering (SSR). This flaw arises when utilizing the getKey or storageKey props, potentially enabling arbitrary JavaScript execution if untrusted content is used to generate the keys. The issue does not impact systems where server-side rendering in Framework Mode is disabled, or when using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). The vulnerability is triggered during SSR and could allow for the execution of malicious scripts.

Recommendations @remix-run/react versions prior to 2.17.3 should be updated to version 2.17.3 or later. react-router versions 7.0.0 through 7.11.0 should be updated to version 7.12.0 or later.