All vulnerabilities
CVE-2026-33244
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
Description
When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source.
[!NOTE] This does not impact your React Router application if you are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
5.4
Severity
Medium
Ecosystem
JavaScript
Publish Date
June 3, 2026
Modified Date
June 3, 2026
Score Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Versions
