XSS: <ScrollRestoration> SSR in @remix-run/react, react-router <7.12 Pre-2.17.3
CVE-2026-21884 Published on January 10, 2026

React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.

Github Repository NVD

Vulnerability Analysis

CVE-2026-21884 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-21884 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2026-21884

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 

Affected Versions

remix-run react-router: Red Hat Ansible Automation Platform 2.6 for RHEL 9: Red Hat Ansible Automation Platform 2.6: Red Hat OpenShift AI 2.25: Red Hat OpenShift AI 3.3: Red Hat Ansible Automation Platform 2.6 for RHEL 10: Red Hat Build of Kueue: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 9:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-21884

Package Manager Vulnerable Package Versions Fixed In
npm react-router >= 7.0.0, < 7.12.0 7.12.0
npm @remix-run/react < 2.17.3 2.17.3

Exploit Probability

EPSS
0.37%
Percentile
28.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.