Package impact
npm / react-router
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42211 | high | 8.1 | 8.1 | 1d ago | React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE | |||
| CVE-2026-33245 | high | 8.0 | 8.0 | 1d ago | React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS… | |||
| CVE-2026-22029 | high | 8.0 | 8.0 | 5mo ago | React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from l… | |||
| CVE-2026-42342 | high | 7.5 | 7.5 | 1d ago | React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint |