Cross-Site Scripting Vulnerability in React Router by Remix
CVE-2026-34077

7.5HIGH

Key Information:

Vendor: Remix-run
Status: React-router; Turbo-stream
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-34077?

In React Router versions 7.7.0 through 7.13.1, a potential Cross-Site Scripting (XSS) vulnerability exists when utilizing the unstable React Server Components (RSC) APIs. This issue arises specifically in the handling of redirects from untrusted sources, potentially allowing malicious script injections. Users not implementing the unstable RSC APIs in their applications are not affected. The vulnerability has been addressed in version 7.13.2, emphasizing the importance of updating to the latest release for security enhancements.

Affected Version(s)

react-router >= 7.0.0, < 7.14.0

turbo-stream < 3.0.0

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34077 Data

JSON

Remix-run

What is CVE-2026-34077?

Affected Version(s)

References

CVSS V3.1

Timeline