CVE-2026-33245

HIGH8.0

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

Published: 6/3/2026Modified: 6/3/2026

Description

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources > [!NOTE] > This only impacts your application if you are using the unstable RSC APIs in React Router.

Affected packages (1)

npm/react-router>= 7.7.0, < 7.13.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33245
PATCHhttps://github.com/remix-run/react-router
WEBhttps://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62