MEDIUM npm
GHSA-2j2x-hqr9-3h42 · CVE-2026-40181 React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
Modified: 6/3/2026
package
npm / react-router
pkg:npm/react-router
HIGH 8.0 npm
GHSA-2w69-qvjg-hvjx · CVE-2026-22029 React Router vulnerable to XSS via Open Redirects
Modified: 2/3/2026
HIGH 7.6 npm
GHSA-3cgp-3xvw-98x8 · CVE-2025-59057 React Router has XSS Vulnerability
Modified: 2/3/2026
HIGH 8.1 npm
GHSA-49rj-9fvp-4h2h · CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
Modified: 6/3/2026
HIGH 8.0 npm
GHSA-8646-j5j9-6r62 · CVE-2026-33245 React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
Modified: 6/3/2026
HIGH 8.2 npm
GHSA-8v8x-cx79-35w7 · CVE-2026-21884 React Router SSR XSS in ScrollRestoration
Modified: 2/3/2026
HIGH 7.5 npm
GHSA-8x6r-g9mw-2r78 · CVE-2026-42342 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
Modified: 6/8/2026
MEDIUM 6.5 npm
GHSA-9jcx-v3wj-wh4m · CVE-2025-68470 React Router has unexpected external redirect via untrusted paths
Modified: 2/3/2026
HIGH 8.2 npm
GHSA-cpj6-fhp6-mr6j · CVE-2025-43865 React Router allows pre-render data spoofing on React-Router framework mode
Modified: 2/3/2026
MEDIUM 5.4 npm
GHSA-f22v-gfqf-p8f3 · CVE-2026-33244 React Router has stored XSS via unescaped Location header in prerendered redirect HTML
Modified: 6/3/2026
HIGH 7.5 npm
GHSA-f46r-rw29-r322 · CVE-2025-43864 React Router allows a DoS via cache poisoning by forcing SPA mode
Modified: 4/25/2025
MEDIUM 6.5 npm
GHSA-h5cw-625j-3rxh · CVE-2026-22030 React Router has CSRF issue in Action/Server Action Request Processing
Modified: 2/3/2026
HIGH 7.5 npm
GHSA-rxv8-25v2-qmq8 · CVE-2026-34077 React Router vulnerable to Denial of Service via reflected user input in single-fetch
Modified: 6/4/2026