CVE-2026-33245EPSS p7.2%

CVE-2026-33245CVE-2026-33245

shopify / react-router

Description

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

Scoring

CVSS 8.0 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS0.18% probability of exploitation · percentile 7.2% · 2026-06-19T12:03:05Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34077
CVE
CVE-2026-33244
CVE
CVE-2026-22029
CVE
CVE-2026-21884
CVE
CVE-2025-43865
CVE
CVE-2026-40181
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.