XSS Vulnerability in React Router Affects Remix-Run and React-Router
CVE-2026-21884

8.2HIGH

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 10 January 2026

What is CVE-2026-21884?

A Cross-Site Scripting (XSS) vulnerability has been identified in React Router's API when used in Framework Mode with the getKey/storageKey props during Server-Side Rendering (SSR). This flaw permits arbitrary JavaScript execution if untrusted content is utilized to create the keys. The issue arises solely when SSR in Framework Mode is enabled, and it does not affect configurations using Declarative Mode or Data Mode. The vulnerability has been addressed in updated versions of the affected packages.

Affected Version(s)

react-router @remix-run/react < 2.17.3 < @remix-run/react 2.17.3

react-router react-router >= 7.0.0, < 7.12.0 < react-router 7.0.0, 7.12.0

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Jan 5, 2026

JSON

Remix-run

What is CVE-2026-21884?

Affected Version(s)

References

CVSS V3.1

Timeline