Security Advisory

CVE-2026-22030

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-01-10 02:42:44

Last updated 2026-01-12 18:09:39

Assigner GitHub_M

State PUBLISHED

Description

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.

← Browse all CVEs View on cve.org ↗