Bug 2428412 (CVE-2026-22029)
| Summary: | CVE-2026-22029 @remix-run/router: react-router: React Router vulnerable to XSS via Open Redirects | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, abokovoy, abrianik, adudiak, alcohan, alizardo, anjoseph, anpicker, anthomas, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, boliveir, bparees, brasmith, brian.stansberry, carogers, caswilli, cmah, cochase, darran.lofthouse, dbosanac, dhanak, dnakabaa, doconnor, dosoudil, dranck, drosa, dschmidt, dymurray, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fdeutsch, frenaud, ftrivino, ggainey, ggrzybek, gmalinko, gparvin, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jcantril, jchui, jfula, jhe, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jneedle, joehler, jolong, jowilson, jprabhak, jreimann, jrokos, juwatts, kaycoth, kegrant, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lcouzens, lphiri, mabashia, manissin, mattdavi, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mskarbek, msvehla, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pberan, pbizzarr, pbohmill, pbraun, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sdoran, sfeifer, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tmalecek, tom.jenkinson, veshanka, vmuzikar, wtam, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A cross site scripting flaw has been discovered in the npm react-router and @remix-run/router packages. React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2428747, 2428748, 2428755, 2428759, 2428760, 2428751, 2428752, 2428753, 2428754, 2428756, 2428757, 2428758 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-01-10 04:01:32 UTC
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.6 for RHEL 9 Red Hat Ansible Automation Platform 2.6 for RHEL 10 Via RHSA-2026:3958 https://access.redhat.com/errata/RHSA-2026:3958 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2026:3959 https://access.redhat.com/errata/RHSA-2026:3959 |