All vulnerabilities
CVE-2026-33245
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
Description
When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources
[!NOTE] This only impacts your application if you are using the unstable RSC APIs in React Router.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
8
Severity
High
Ecosystem
JavaScript
Publish Date
June 3, 2026
Modified Date
June 3, 2026
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Affected Versions
