pkg:npm/react-router

All known vulnerabilities

• HIGH8.2CVE-2026-21884React Router SSR XSS in ScrollRestoration
  >= 7.0.0, < 7.12.0
• HIGH8.2CVE-2025-43865React Router allows pre-render data spoofing on React-Router framework mode
  >= 7.0.0-pre.0, < 7.5.2
• HIGH8.1CVE-2026-42211React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
  >= 7.0.0, < 7.14.2
• HIGH8.0CVE-2026-33245React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
  >= 7.7.0, < 7.13.2
• HIGH8.0CVE-2026-22029React Router vulnerable to XSS via Open Redirects
  >= 7.0.0, < 7.12.0
• HIGH7.6CVE-2025-59057React Router has XSS Vulnerability
  >= 7.0.0, < 7.9.0
• HIGH7.5CVE-2026-42342React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
  >= 7.0.0, < 7.15.0
• HIGH7.5CVE-2025-43864React Router allows a DoS via cache poisoning by forcing SPA mode
  >= 7.2.0, < 7.5.2
• MEDIUM6.5CVE-2026-22030React Router has CSRF issue in Action/Server Action Request Processing
  >= 7.0.0, < 7.12.0
• MEDIUM6.5CVE-2025-68470React Router has unexpected external redirect via untrusted paths
  >= 6.0.0, < 6.30.2
• MEDIUM5.4CVE-2026-33244React Router has stored XSS via unescaped Location header in prerendered redirect HTML
  >= 7.5.1, < 7.13.2
• —CVE-2026-40181React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
  >= 7.0.0, < 7.14.1