React-router

This hub aggregates every CVE we track for React-router, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting React-router.

• CVE-2026-53663React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass3.1Jun 22, 2026
• CVE-2026-42342React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint7.5Jun 2, 2026
• CVE-2026-42211React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE8.1Jun 2, 2026
• CVE-2026-40181React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation6.1Jun 2, 2026
• CVE-2026-34077React Router vulnerable to Denial of Service via reflected user input in single-fetch7.5Jun 2, 2026
• CVE-2026-33245React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets8.0Jun 2, 2026
• CVE-2026-33244React Router has stored XSS via unescaped Location header in prerendered redirect HTML5.4Jun 2, 2026
• CVE-2026-45321Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keysKEV9.6May 12, 2026
• CVE-2026-42349Clerk: Authorization bypass when combining organization, billing, or reverification checks8.1May 11, 2026
• CVE-2026-22030React Router has CSRF issue in Action/Server Action Request Processing6.5Jan 10, 2026
• CVE-2026-22029React Router vulnerable to XSS via Open Redirects8.0Jan 10, 2026
• CVE-2026-21884React Router SSR XSS in ScrollRestoration8.2Jan 10, 2026
• CVE-2025-61686React Router has Path Traversal in File Session Storage9.1Jan 10, 2026
• CVE-2025-59057React Router has XSS Vulnerability7.6Jan 10, 2026
• CVE-2025-68470React Router has unexpected external redirect via untrusted paths6.5Jan 10, 2026