Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-y2ce-z8tu-y7e5
Vulnerability ID VCID-y2ce-z8tu-y7e5
Aliases CVE-2026-22029
GHSA-2w69-qvjg-hvjx
Summary React Router vulnerable to XSS via Open Redirects React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`).
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22029.json
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2026-22029
cvssv3.1 8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-2w69-qvjg-hvjx
cvssv3.1 8.0 https://github.com/remix-run/react-router
generic_textual HIGH https://github.com/remix-run/react-router
cvssv3.1 8 https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
cvssv3.1 8.0 https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
cvssv3.1_qr HIGH https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
generic_textual HIGH https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
ssvc Track https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
cvssv3.1 8.0 https://nvd.nist.gov/vuln/detail/CVE-2026-22029
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-22029
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22029.json
https://api.first.org/data/v1/epss?cve=CVE-2026-22029
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/remix-run/react-router
https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
https://nvd.nist.gov/vuln/detail/CVE-2026-22029
2428412 https://bugzilla.redhat.com/show_bug.cgi?id=2428412
GHSA-2w69-qvjg-hvjx https://github.com/advisories/GHSA-2w69-qvjg-hvjx
RHSA-2026:1517 https://access.redhat.com/errata/RHSA-2026:1517
RHSA-2026:2147 https://access.redhat.com/errata/RHSA-2026:2147
RHSA-2026:2148 https://access.redhat.com/errata/RHSA-2026:2148
RHSA-2026:2149 https://access.redhat.com/errata/RHSA-2026:2149
RHSA-2026:2350 https://access.redhat.com/errata/RHSA-2026:2350
RHSA-2026:2456 https://access.redhat.com/errata/RHSA-2026:2456
RHSA-2026:2568 https://access.redhat.com/errata/RHSA-2026:2568
RHSA-2026:2694 https://access.redhat.com/errata/RHSA-2026:2694
RHSA-2026:3087 https://access.redhat.com/errata/RHSA-2026:3087
RHSA-2026:3782 https://access.redhat.com/errata/RHSA-2026:3782
RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958
RHSA-2026:3959 https://access.redhat.com/errata/RHSA-2026:3959
RHSA-2026:3960 https://access.redhat.com/errata/RHSA-2026:3960
RHSA-2026:5636 https://access.redhat.com/errata/RHSA-2026:5636
RHSA-2026:8218 https://access.redhat.com/errata/RHSA-2026:8218
RHSA-2026:8229 https://access.redhat.com/errata/RHSA-2026:8229
RHSA-2026:9848 https://access.redhat.com/errata/RHSA-2026:9848
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22029.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/remix-run/react-router
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T18:10:20Z/ Found at https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-22029
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03426
EPSS Score 0.00016
Published At April 21, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:26.016571+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-2w69-qvjg-hvjx/GHSA-2w69-qvjg-hvjx.json 38.0.0