CVE-2026-22029
React Router vulnerable to XSS via Open Redirects
Description
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`).
How to fix CVE-2026-22029
To remediate CVE-2026-22029, upgrade the affected package to a fixed version below.
- —upgrade to 7.12.0 or later
- —upgrade to 1.23.2 or later
Is CVE-2026-22029 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 7.0.0, < 7.12.0
- from 0, < 1.23.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |