logo

Database

Reflected cross-site scripting (XSS) In react-router

Description

React Router SSR XSS in ScrollRestoration A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

[!NOTE] This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-218842. NVD-2026-218843. OSV-2026-218844. GHSA-8v8x-cx79-35w75. GCVE-2026-21884

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.