Home > Vulnerability Database > CVE-2026-21884

Mend.io Vulnerability Database

CVE-2026-21884

Good to know:

Date: January 9, 2026

React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.

Severity Score

8.2

Related Resources (4)

Url: https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7

Url: https://github.com/remix-run/react-router

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21884

Url: https://www.mend.io/vulnerability-database/CVE-2026-21884

Severity Score

8.2

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version react-router - 7.12.0;@remix-run/react - 2.17.3;https://github.com/remix-run/react-router.git - create-react-router@7.12.0

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21884

Good to know:

Date: January 9, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?