Bug 2428421 (CVE-2026-21884)

Summary: CVE-2026-21884 react-router: @remix-run/react: React Router SSR XSS in ScrollRestoration
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abokovoy, abrianik, adudiak, alcohan, alizardo, anjoseph, anpicker, anthomas, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, boliveir, bparees, brasmith, brian.stansberry, carogers, caswilli, cmah, cochase, darran.lofthouse, dbosanac, dhanak, dnakabaa, doconnor, dosoudil, dranck, drosa, dymurray, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fdeutsch, fjuma, frenaud, ftrivino, ggainey, ggrzybek, gmalinko, gparvin, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jcantril, jchui, jfula, jhe, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, joehler, jolong, jowilson, jprabhak, jreimann, jrokos, juwatts, kaycoth, kegrant, koliveir, kshier, ktsao, kverlaen, lball, lcouzens, lphiri, mabashia, manissin, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mskarbek, msvehla, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pberan, pbizzarr, pbohmill, pbraun, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sdoran, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tmalecek, tom.jenkinson, veshanka, vmuzikar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A cross site scripting flaw has been discovered in the npm react-router package. The cross site scripting (XSS) vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-10 04:02:21 UTC 
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.