XSS: <ScrollRestoration> SSR in @remix-run/react, react-router <7.12 Pre-2.17.3
CVE-2026-21884 Published on January 10, 2026
React Router SSR XSS in ScrollRestoration
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Vulnerability Analysis
CVE-2026-21884 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-21884 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-21884
Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.
Affected Versions
remix-run react-router:- Version @remix-run/react < 2.17.3 is affected.
- Version react-router >= 7.0.0, < 7.12.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2026-21884
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | react-router | >= 7.0.0, < 7.12.0 | 7.12.0 |
| npm | @remix-run/react | < 2.17.3 | 2.17.3 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.