CVE-2026-22029

medium

Description

React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22029.json

https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx

https://bugzilla.redhat.com/show_bug.cgi?id=2428412

https://access.redhat.com/security/cve/CVE-2026-22029

https://access.redhat.com/errata/RHSA-2026:9848

https://access.redhat.com/errata/RHSA-2026:8229

https://access.redhat.com/errata/RHSA-2026:8218

https://access.redhat.com/errata/RHSA-2026:5636

https://access.redhat.com/errata/RHSA-2026:5633

https://access.redhat.com/errata/RHSA-2026:3960

https://access.redhat.com/errata/RHSA-2026:3959

https://access.redhat.com/errata/RHSA-2026:3958

https://access.redhat.com/errata/RHSA-2026:3782

https://access.redhat.com/errata/RHSA-2026:36882

https://access.redhat.com/errata/RHSA-2026:36651

https://access.redhat.com/errata/RHSA-2026:34100

https://access.redhat.com/errata/RHSA-2026:3087

https://access.redhat.com/errata/RHSA-2026:2694

https://access.redhat.com/errata/RHSA-2026:26420

https://access.redhat.com/errata/RHSA-2026:26413

https://access.redhat.com/errata/RHSA-2026:2572

https://access.redhat.com/errata/RHSA-2026:2568

https://access.redhat.com/errata/RHSA-2026:2456

https://access.redhat.com/errata/RHSA-2026:2350

https://access.redhat.com/errata/RHSA-2026:21658

https://access.redhat.com/errata/RHSA-2026:2149

https://access.redhat.com/errata/RHSA-2026:2148

https://access.redhat.com/errata/RHSA-2026:2147

https://access.redhat.com/errata/RHSA-2026:20042

https://access.redhat.com/errata/RHSA-2026:20041

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:17474

https://access.redhat.com/errata/RHSA-2026:17469

https://access.redhat.com/errata/RHSA-2026:17468

https://access.redhat.com/errata/RHSA-2026:1517

https://access.redhat.com/errata/RHSA-2026:13548

https://access.redhat.com/errata/RHSA-2026:13542

Details

Source: Mitre, NVD

Published: 2026-01-10

Updated: 2026-07-15

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00041