CVE-2026-22030 — React Router has CSRF issue in Action/Server Action Request Processing

Description

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route `action` handlers in [Framework Mode](https://reactrouter.com/start/modes#framework), or when using React Server Actions in the new unstable RSC modes. > [!NOTE] > This does not impact your application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

How to fix CVE-2026-22030

To remediate CVE-2026-22030, upgrade the affected package to a fixed version below.

—upgrade to 7.12.0 or later
—upgrade to 2.17.3 or later

Is CVE-2026-22030 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.0.0, < 7.12.0
from 0, < 2.17.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22030
PATCHgithub.com/remix-run/react-router
WEBgithub.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh