THREAT OPS › Threat News › [NVD] CVE-2026-21884 (HIGH 8.2) — React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering wh
[NVD] CVE-2026-21884 (HIGH 8.2) — React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering wh
CVE-2026-21884 CVSS: 8.2 HIGH Published: 2026-01-10T03:15:48.673
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during
MITRE ATT&CK techniques
- JavaScriptT1059.007
Indicators of compromise
- CVE-2026-21884cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-21884