{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T02:31:06.557","vulnerabilities":[{"cve":{"id":"CVE-2026-21884","sourceIdentifier":"security-advisories@github.com","published":"2026-01-10T03:15:48.673","lastModified":"2026-01-30T18:19:22.727","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0."},{"lang":"es","value":"React Router es un router para React. En la versión de @remix-run/react anterior a la 2.17.3 y react-router de la 7.0.0 a la 7.11.0, existe una vulnerabilidad de XSS en la API  de React Router en Modo Framework al usar las props getKey/storageKey durante la Renderización del Lado del Servidor, lo que podría permitir la ejecución arbitraria de JavaScript durante SSR si se utiliza contenido no confiable para generar las claves. No hay impacto si la renderización del lado del servidor en Modo Framework está deshabilitada, o si se está utilizando el Modo Declarativo () o el Modo de Datos (createBrowserRouter/). Este problema ha sido parcheado en la versión 2.17.3 de @remix-run/react y la versión 7.12.0 de react-router."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.11.0","matchCriteriaId":"6928DE33-6137-4682-8610-1A6646F1B2A5"},{"vulnerable":true,"criteria":"cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.17.3","matchCriteriaId":"CD7006C4-2033-446C-A472-DAD51EB06396"}]}]}],"references":[{"url":"https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}