Remote Code Execution Vulnerability in React Router by Remix Run
CVE-2026-42211

8.1HIGH

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-42211?

In React Router versions 7.0.0 through 7.14.1, a security vulnerability exists when operating in Framework Mode that could enable remote code execution through carefully crafted external requests. This requires the application code to already have a prototype pollution vulnerability, setting the stage for a two-step attack. The first step exploits the existing vulnerability, while the second step carries out the unauthorized remote code execution on the targeted remote server. Applications using Declarative Mode or Data Mode remain unaffected. This critical issue has been resolved in version 7.14.2.

Affected Version(s)

react-router >= 7.0.0, < 7.14.2

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42211 Data

JSON

Remix-run

What is CVE-2026-42211?

Affected Version(s)

References

CVSS V3.1

Timeline