CVE-2026-21884
Unknown Unknown - Not Provided
XSS in React Router ScrollRestoration During Server-Side Rendering

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21884
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
remix-run react to 2.17.3 (exc)
remix-run react 2.17.3
react-router react-router From 7.0.0 (inc) to 7.12.0 (exc)
react-router react-router 7.12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21884 is a high-severity Cross-Site Scripting (XSS) vulnerability in React Router's <ScrollRestoration> API when used in Framework Mode with Server-Side Rendering (SSR). It occurs when the getKey or storageKey props generate keys from untrusted content during SSR, which can lead to arbitrary JavaScript execution. This affects @remix-run/react versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. The vulnerability does not affect applications that disable SSR in Framework Mode or use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). The issue has been patched in later versions. [1]

Impact Analysis

This vulnerability can allow remote attackers to execute arbitrary JavaScript code during server-side rendering if untrusted content is used to generate keys, potentially leading to high confidentiality loss and low integrity impact. It requires no privileges but does require user interaction. The attack can compromise sensitive data confidentiality and affect the security scope of components. [1]

Detection Guidance

Detection involves verifying if your application uses React Router versions 7.0.0 through 7.11.0 or @remix-run/react versions prior to 2.17.3 with Server-Side Rendering (SSR) in Framework Mode and the <ScrollRestoration> API with getKey or storageKey props. You can check the installed package versions using commands like `npm list react-router` or `npm list @remix-run/react`. Additionally, review your codebase for usage of <ScrollRestoration> with getKey/storageKey props during SSR. There are no specific network detection commands provided. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade @remix-run/react to version 2.17.3 or later, and react-router to version 7.12.0 or later. Alternatively, disable Server-Side Rendering in Framework Mode or avoid using the <ScrollRestoration> API with getKey/storageKey props during SSR. Using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) also avoids the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21884. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart