{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-21884", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.928Z", "datePublished": "2026-01-10T02:41:44.944Z", "dateUpdated": "2026-06-30T12:06:48.401Z" }, "containers": { "cna": { "title": "React Router SSR XSS in ScrollRestoration", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1" } } ], "references": [ { "name": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7" } ], "affected": [ { "vendor": "remix-run", "product": "react-router", "versions": [ { "version": "@remix-run/react < 2.17.3", "status": "affected" }, { "version": "react-router >= 7.0.0, < 7.12.0", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:41:44.944Z" }, "descriptions": [ { "lang": "en", "value": "React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0." } ], "source": { "advisory": "GHSA-8v8x-cx79-35w7", "discovery": "UNKNOWN" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "id": "CVE-2026-21884", "role": "CISA Coordinator", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "version": "2.0.3", "timestamp": "2026-01-13T04:55:52.068631Z" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:51.084Z" } }, { "affected": [ { "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el9", "cpe:/a:redhat:ansible_automation_platform_inside:2.6::el9" ], "defaultStatus": "affected", "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 9", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2.6::el9" ], "defaultStatus": "affected", "product": "Red Hat Ansible Automation Platform 2.6", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:2.25::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 2.25", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai:3.3::el9" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI 3.3", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:ansible_automation_platform:2.6::el10", "cpe:/a:redhat:ansible_automation_platform_developer:2.6::el10" ], "defaultStatus": "unaffected", "product": "Red Hat Ansible Automation Platform 2.6 for RHEL 10", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:kueue_operator:1" ], "defaultStatus": "unaffected", "product": "Red Hat Build of Kueue", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:10" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:9" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat" } ], "datePublic": "2026-01-10T02:41:44.944Z", "descriptions": [ { "lang": "en", "value": "A cross site scripting flaw has been discovered in the npm react-router package. The cross site scripting (XSS) vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-21884" }, { "name": "RHBZ#2428421", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428421" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21884.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3958" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3960" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:3782" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:19712" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:3958: Red Hat Ansible Automation Platform 2.6 for RHEL 9" }, { "lang": "en", "value": "RHSA-2026:3960: Red Hat Ansible Automation Platform 2.6" }, { "lang": "en", "value": "RHSA-2026:3782: Red Hat OpenShift AI 2.25" }, { "lang": "en", "value": "RHSA-2026:19712: Red Hat OpenShift AI 3.3" } ], "timeline": [ { "lang": "en", "time": "2026-01-10T04:01:46.246Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-01-10T02:41:44.944Z", "value": "Made public." } ], "title": "react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:06:48.401Z" } } ] } }