CVE-2026-21884Shopify · React-router
Vulnerability data via NVD (ingested)
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-21884product:"Shopify React-router"http.html:"React-router"More intel sources (5)
vuln:CVE-2026-21884vulnerabilities.cve_id: CVE-2026-21884CVE-2026-21884CVE-2026-21884"CVE-2026-21884" exploit -site:nvd.nist.gov