Cross-Site Scripting Vulnerability in React Router Framework Mode
CVE-2026-33244

5.4MEDIUM

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-33244?

A vulnerability in React Router allows for Cross-Site Scripting (XSS) when using Framework Mode with pre-rendering enabled. The issue arises due to improper neutralization of the HTTP Location header values, which can lead to XSS attacks if the redirect location originates from an untrusted source. This vulnerability affects versions of React Router from 7.5.1 up to 7.13.1 but does not impact applications that utilize Declarative Mode or Data Mode. Users are urged to upgrade to version 7.13.2 or later to mitigate this risk.

Affected Version(s)

react-router >= 7.5.1, < 7.13.2

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33244 Data

JSON

Remix-run

What is CVE-2026-33244?

Affected Version(s)

References

CVSS V3.1

Timeline