| CVE-2026-42211 |
high |
8.1 |
8.1 |
|
|
|
2d ago |
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE |
| CVE-2026-33245 |
high |
8.0 |
8.0 |
|
|
|
2d ago |
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS… |
| CVE-2026-22029 |
high |
8.0 |
8.0 |
|
|
|
5mo ago |
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from l… |
| CVE-2026-42342 |
high |
7.5 |
7.5 |
|
|
|
2d ago |
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint |
| CVE-2026-33244 |
medium |
5.4 |
5.4 |
|
|
|
2d ago |
React Router has stored XSS via unescaped Location header in prerendered redirect HTML |
| CVE-2026-40181 |
unknown |
— |
— |
|
|
|
2d ago |
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation |
