216.73.216.170

CVE-2026-22029

· Published 10/01/2026 03:15 · Modified 10/01/2026 03:15

Labels: CVE-2026-22029 2026-01-10CVE-2026-22029CWE-79[email protected]

Essential information

Published
10/01/2026 03:15
Modified
10/01/2026 03:15
Author
Creator
CVSS
8.0 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS metrics

Description

React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
remix-run / router cpe:2.3:a:remix-run:router:<1.23.2:*:*:*:*:*:*:*
react-router / react-router cpe:2.3:a:react-router:react-router:7.0.0-7.11.0:*:*:*:*:*:*:*

References