CVE-2026-22029EPSS p24.3%

CVE-2026-22029CVE-2026-22029

shopify / remix-run\/react

Description

React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

Scoring

CVSS 8.0 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS0.33% probability of exploitation · percentile 24.3% · 2026-06-18T12:00:27Z
Last modified2026-06-02

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-21884
CVE
CVE-2026-40181
CVE
CVE-2026-33244
CVE
CVE-2026-33245
CVE
CVE-2026-42211
CVE
CVE-2026-34077
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.