CVE-2026-21884
Published: 10 January 2026
Summary
CVE-2026-21884 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Shopify React-Router. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of patches to @remix-run/react 2.17.3 or react-router 7.12.0 directly eliminates the XSS vulnerability in the ScrollRestoration API during SSR.
Filtering SSR output prevents cross-site scripting attacks arising from untrusted content in getKey or storageKey props.
Validating and sanitizing untrusted inputs used for key generation during SSR blocks malicious content from enabling arbitrary JavaScript execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing React SSR enables arbitrary JS execution in browser (T1059.007) via exploitation of web app (T1190).
NVD Description
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which…
more
could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Deeper analysisAI
CVE-2026-21884 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting React Router, a routing library for React applications. It impacts @remix-run/react versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0, specifically in the <ScrollRestoration> API when operating in Framework Mode during server-side rendering (SSR) and using the getKey or storageKey props. The flaw arises when untrusted content is used to generate these keys, enabling arbitrary JavaScript execution on the server-rendered output. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) and was published on 2026-01-10.
Remote attackers with no required privileges can exploit this issue over the network with low complexity by tricking users into interacting with maliciously crafted content, such as through user-supplied input that influences key generation during SSR in Framework Mode. Successful exploitation leads to arbitrary JavaScript execution in the victim's browser, resulting in high confidentiality impact via potential data theft, though integrity and availability impacts are lower. There is no exploitation risk if SSR in Framework Mode is disabled, or if using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
The GitHub security advisory (GHSA-8v8x-cx79-35w7) confirms the issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0. Security practitioners should upgrade to these fixed versions immediately and audit applications for the affected configurations, ensuring untrusted inputs are sanitized or avoided in key generation during SSR.
Details
- CWE(s)