logo

Database

Reflected cross-site scripting (XSS) In react-router

Description

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources

[!NOTE] This only impacts your application if you are using the unstable RSC APIs in React Router.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-332452. NVD-2026-332453. OSV-2026-332454. GHSA-8646-j5j9-6r625. GCVE-2026-33245

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.