CVE-2026-22029

Source
https://cve.org/CVERecord?id=CVE-2026-22029
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22029.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-22029
Aliases
Downstream
Related
Published
2026-01-10T02:42:32.736Z
Modified
2026-07-12T03:55:20.772144919Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
React Router vulnerable to XSS via Open Redirects
Details

React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22029.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/remix-run/react-router

Affected ranges

Type
GIT
Repo
https://github.com/remix-run/react-router
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Database specific
{
    "source": "CPE_RANGE",
    "cpe": [
        "cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*",
        "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.23.2"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "last_affected": "7.11.0"
        }
    ]
}

Affected versions

@remix-run/router@0.*
@remix-run/router@0.2.0-pre.3
@remix-run/router@1.*
@remix-run/router@1.0.1
@remix-run/router@1.0.1-pre.0
@remix-run/router@1.0.2
@remix-run/router@1.21.0-pre.0
@remix-run/router@1.23.2-pre-v6.0
react-router-dom-v5-compat@6.*
react-router-dom-v5-compat@6.28.0-pre.0
react-router-dom-v5-compat@6.30.3-pre-v6.0
react-router-dom-v5-compat@6.4.0-pre.8
react-router-dom-v5-compat@6.4.1
react-router-dom-v5-compat@6.4.1-pre.0
react-router-dom-v5-compat@6.4.2
react-router-dom-v5-compat@6.4.2-pre.1
react-router-dom@6.*
react-router-dom@6.28.0-pre.0
react-router-dom@6.30.3-pre-v6.0
react-router-dom@6.4.0-pre.8
react-router-dom@6.4.1
react-router-dom@6.4.1-pre.0
react-router-dom@6.4.2
react-router-dom@6.4.2-pre.1
react-router-native@6.*
react-router-native@6.28.0-pre.0
react-router-native@6.30.3-pre-v6.0
react-router-native@6.4.0-pre.8
react-router-native@6.4.1
react-router-native@6.4.1-pre.0
react-router-native@6.4.2
react-router-native@6.4.2-pre.1
react-router@6.*
react-router@6.28.0-pre.0
react-router@6.30.3-pre-v6.0
react-router@6.4.0-pre.8
react-router@6.4.1
react-router@6.4.1-pre.0
react-router@6.4.2
react-router@6.4.2-pre.1
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.11.6
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.2.0
v0.2.1
v0.3.0
v0.3.1
v0.3.2
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v1.*
v1.0.0
v1.0.0-alpha2
v1.0.0-beta2
v1.0.0-beta3
v1.0.0-beta4
v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.0-rc4
v1.0.1
v2.*
v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.0.0-rc6
v2.0.1
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v3.*
v3.0.0
v3.0.0-alpha.1
v3.0.0-alpha.2
v3.0.0-alpha.3
v3.0.0-beta.1
v3.0.1
v3.0.2
v4.*
v4.0.0
v4.1.0
v4.1.1
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.0-rc.1
v4.3.0-rc.2
v4.3.0-rc.3
v4.3.1
v4.4.0
v4.4.0-beta.0
v4.4.0-beta.1
v4.4.0-beta.2
v4.4.0-beta.3
v4.4.0-beta.4
v4.4.0-beta.5
v4.4.0-beta.6
v4.4.0-beta.7
v4.4.0-beta.8
v5.*
v5.0.0
v5.0.1
v5.1.0
v5.1.1
v6.*
v6.0.0-alpha.0
v6.0.0-alpha.1
v6.0.0-alpha.2
v6.0.0-alpha.3
v6.0.0-alpha.4
v6.0.0-alpha.5
v6.0.0-beta.0
v6.0.0-beta.1
v6.0.0-beta.2
v6.0.0-beta.3
v6.0.0-beta.4
v6.0.0-beta.6
v6.0.0-beta.8
v6.0.1
v6.1.0
v6.2.0
v6.2.1
v6.2.2
v6.2.2-pre.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22029.json"