{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21884", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.928Z", "datePublished": "2026-01-10T02:41:44.944Z", "dateUpdated": "2026-02-26T15:04:51.084Z"}, "containers": {"cna": {"title": "React Router SSR XSS in ScrollRestoration", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7"}], "affected": [{"vendor": "remix-run", "product": "react-router", "versions": [{"version": "@remix-run/react < 2.17.3", "status": "affected"}, {"version": "react-router >= 7.0.0, < 7.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:41:44.944Z"}, "descriptions": [{"lang": "en", "value": "React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0."}], "source": {"advisory": "GHSA-8v8x-cx79-35w7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T04:55:52.068631Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:51.084Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21884", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T04:55:52.068631Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:11:06.386Z"}}], "cna": {"title": "React Router SSR XSS in ScrollRestoration", "source": {"advisory": "GHSA-8v8x-cx79-35w7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "remix-run", "product": "react-router", "versions": [{"status": "affected", "version": "@remix-run/react < 2.17.3"}, {"status": "affected", "version": "react-router >= 7.0.0, < 7.12.0"}]}], "references": [{"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7", "name": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:41:44.944Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21884", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:51.084Z", "dateReserved": "2026-01-05T17:24:36.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T02:41:44.944Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6928DE33-6137-4682-8610-1A6646F1B2A5", "versionEndIncluding": "7.11.0", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CD7006C4-2033-446C-A472-DAD51EB06396", "versionEndExcluding": "2.17.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0."}], "id": "CVE-2026-21884", "lastModified": "2026-01-30T18:19:22.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T03:15:48.673", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration", "id": "2428421", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428421"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-21884", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-platform-ui", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:kueue_operator:1", "fix_state": "Affected", "package_name": "kueue/kueue-must-gather-rhel9", "product_name": "Red Hat Build of Kueue"}, {"cpe": "cpe:/a:redhat:kueue_operator:1", "fix_state": "Affected", "package_name": "kueue/kueue-operator-bundle", "product_name": "Red Hat Build of Kueue"}, {"cpe": "cpe:/a:redhat:kueue_operator:1", "fix_state": "Affected", "package_name": "kueue/kueue-rhel9", "product_name": "Red Hat Build of Kueue"}, {"cpe": "cpe:/a:redhat:kueue_operator:1", "fix_state": "Affected", "package_name": "kueue/kueue-rhel9-operator", "product_name": "Red Hat Build of Kueue"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ipa", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ipa", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-01-10T02:41:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21884\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21884\nhttps://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7"], "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T07:15:17.549877+00:00", "value": {"mitigation_remediation": ["Upgrade @remix\u2011run/react to version 2.17.3 or newer and react\u2011router to version 7.12.0 or newer.", "If upgrading is not immediately possible, disable Framework Mode server\u2011side rendering or avoid using <ScrollRestoration> with untrusted key data, and switch to Declarative or Data Mode usage if applicable.", "Implement strict validation or encoding for any data that is used to set getKey or storageKey properties to prevent injection of malicious scripts."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting during Server\u2011Side Rendering"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the @remix\u2011run/react package up to version 2.17.2 and the react\u2011router package from 7.0.0 through 7.11.0. Systems using these libraries in Framework Mode with <ScrollRestoration> must upgrade to @remix\u2011run/react 2.17.3 or later and react\u2011router 7.12.0 or later to eliminate the flaw.", "description_and_impact": "React Router's <ScrollRestoration> component in Framework Mode is vulnerable to cross\u2011site scripting when the getKey or storageKey properties are populated using untrusted content. If an attacker can supply malicious data that is used to generate these keys, arbitrary JavaScript can be executed on the server side and rendered to the client. The weakness is an input validation flaw, identified as CWE\u201179, and the primary impact is the ability to run malicious scripts in the browser context of users compiling the SSR output.", "risk_and_exploitability": "The CVSS base score of 8.2 indicates a high severity vulnerability. The EPSS score is reported at less than 1%, suggesting low exploitation probability, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is through server\u2011side rendering of user\u2011controlled content in Framework Mode, where the component generates keys from untrusted data. Exploitation would require that the attacker has the ability to influence the content used to build the keys, but no additional credentials or privileges are necessary."}}}}, "created": "2026-04-18T07:15:25.862602+00:00", "updated": "2026-04-18T07:15:25.862613+00:00", "vendors": []}