>= 7.0.0, < 7.12.0
HIGH8.2CVE-2025-43865React Router allows pre-render data spoofing on React-Router framework mode >= 7.0.0-pre.0, < 7.5.2
HIGH8.1CVE-2026-42211React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE >= 7.0.0, < 7.14.2
HIGH8.0React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
>= 7.7.0, < 7.13.2
HIGH8.0React Router vulnerable to XSS via Open Redirects
>= 7.0.0, < 7.12.0
HIGH7.6React Router has XSS Vulnerability
>= 7.0.0, < 7.9.0
HIGH7.5React Router vulnerable to Denial of Service via reflected user input in single-fetch
>= 7.0.0, < 7.14.0
HIGH7.5React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
>= 7.0.0, < 7.15.0
HIGH7.5React Router allows a DoS via cache poisoning by forcing SPA mode
>= 7.2.0, < 7.5.2
MEDIUM6.5React Router has CSRF issue in Action/Server Action Request Processing
>= 7.0.0, < 7.12.0
MEDIUM6.5React Router has unexpected external redirect via untrusted paths
>= 6.0.0, < 6.30.2
MEDIUM5.4React Router has stored XSS via unescaped Location header in prerendered redirect HTML
>= 7.5.1, < 7.13.2
—React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
>= 7.0.0, < 7.14.1