Client-side XSS Vulnerability in React Router Affects React Applications
CVE-2026-33245

8HIGH

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-33245?

A client-side Cross-Site Scripting (XSS) vulnerability exists in React Router versions 7.7.0 through 7.13.1, specifically when utilizing unstable React Server Components (RSC) APIs. This weakness can arise during redirect handling if the redirects are sourced from untrusted origins, potentially enabling attackers to execute malicious scripts in a user's browser. Applications that do not employ the unstable RSC APIs in React Router are not affected. The issue has been resolved in version 7.13.2, which users should upgrade to in order to mitigate this vulnerability.

Affected Version(s)

react-router >= 7.7.0, < 7.13.2

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33245 Data

JSON

Remix-run

What is CVE-2026-33245?

Affected Version(s)

References

CVSS V3.1

Timeline