React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
References
| Link | Resource |
|---|---|
| https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
30 Jan 2026, 18:19
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7 - Third Party Advisory | |
| First Time |
Shopify
Shopify react-router Shopify remix-run\/react |
|
| CPE | cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:* cpe:2.3:a:shopify:remix-run\/react:*:*:*:*:*:node.js:*:* |
10 Jan 2026, 03:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-10 03:15
Updated : 2026-01-30 18:19
NVD link : CVE-2026-21884
Mitre link : CVE-2026-21884
CVE.ORG link : CVE-2026-21884
JSON object : View
Products Affected
shopify
- remix-run\/react
- react-router
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')