CSRF Bypass in React Router from Remix Run
CVE-2026-53663

3.1LOW

Key Information:

Vendor: Remix-run
Status: React-router; Server-runtime
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-53663?

A Cross-Site Request Forgery (CSRF) vulnerability exists in React Router versions 7.12.0 to 7.15.1, where insufficient CSRF checks in Framework Mode allow bypassing protections on PUT, PATCH, and DELETE requests. Although modern browser defenses reduce the risk by blocking these attack vectors, it remains crucial to update to version 7.15.1 to ensure comprehensive security. Regular updates and adherence to best practices are essential for maintaining application integrity.

Affected Version(s)

react-router >= 7.12.0, < 7.15.1

server-runtime >= 2.17.3, < 2.17.5

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53663 Data

JSON

Remix-run

What is CVE-2026-53663?

Affected Version(s)

References

CVSS V3.1

Timeline