CVE-2026-33244 MEDIUM

CVE-2026-33244: React Router has stored XSS via unescaped Location header in prerendered redirect HTML

Vendor Remix-Run
Product react-router
Weakness CWE-79 · XSS
Published June 2, 2026
Last update June 2, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.13.2.

Key dates

02Disclosure timeline

June 2, 2026 CVE published
June 2, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-30441 WordPress Combo Blocks plugin <= 2.2.74 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-3541 ThinuTech ThinuCMS author_posts.php cross site scripting CVE-2022-45363 WordPress Betheme premium theme <= 26.6.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability CVE-2024-51898 WordPress Semantic Shortcode plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability CVE-2025-57875 BUG-000164122 - Reflected XSS vulnerability in Portal for ArcGIS.