CVE-2026-53663

Name of the Vulnerable Software and Affected Versions React Router version 7

Description Insufficient Cross-Site Request Forgery (CSRF) checks in Framework Mode allow bypasses when using 'PUT', 'PATCH', or 'DELETE' requests, as the checks were primarily applied to 'POST' requests. CSRF is a type of attack where an unauthorized command is transmitted from a user that the web application trusts. This issue is mitigated by modern browser protections such as SameSite cookies and CORS preflight checks.

Recommendations Update React Router version 7 to a version containing the fix. As a temporary mitigation, avoid using Framework Mode or switch to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).