{"id":"CVE-2026-33244","summary":"React Router has stored XSS via unescaped Location header in prerendered redirect HTML","details":"React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`\u003cBrowserRouter\u003e`) or Data Mode (`createBrowserRouter/\u003cRouterProvider\u003e`). This is patched in version 7.13.2.","aliases":["GHSA-f22v-gfqf-p8f3"],"modified":"2026-06-18T03:56:38.719386540Z","published":"2026-06-02T16:59:31.104Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33244.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33244.json"},{"type":"ADVISORY","url":"https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33244"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/remix-run/react-router","events":[{"introduced":"5dd7c1580f2d782bded3f906a66d57005b083db9"},{"fixed":"aadb56fa532e0eaf7e7b91c1d88e1f325851eb04"}],"database_specific":{"cpe":"cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*","source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"7.5.1"},{"fixed":"7.13.2"},{"introduced":"7.5.1"},{"fixed":"7.13.2"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33244.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}