CVE-2026-22030 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-22030 PUBLISHED CVSS 6.5 MEDIUM

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.

EPSS 0.02% · 5.5th percentile

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Score

0.02%

5.5th percentile

Affected Products

Vendor	Product	Versions
remix-run	server-runtime	0
shopify	react-router	7.0.0
remix-run	react-router	@remix-run/router < 2.17.3, react-router >= 7.0.0, < 7.12.0
npm	react-router	7.0.0
shopify	remix-run\/react	0

Timeline

Jan 8, 2026 CVE Published
Jan 10, 2026 EPSS Score
Jan 13, 2026 EPSS Score
Jan 15, 2026 EPSS Score
Jan 18, 2026 EPSS Score
Jan 20, 2026 EPSS Score
Jan 23, 2026 EPSS Score
Jan 25, 2026 EPSS Score
Jan 28, 2026 EPSS Score
Jan 30, 2026 EPSS Score
Feb 2, 2026 EPSS Score
Feb 5, 2026 EPSS Score

References

https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh url
https://nvd.nist.gov/vuln/detail/CVE-2026-22030 advisory
https://github.com/remix-run/react-router package
https://www.ibm.com/support/pages/node/7268602 advisory
https://www.ibm.com/support/pages/node/7268724 advisory
https://www.ibm.com/support/pages/node/7268726 advisory
https://www.ibm.com/support/pages/node/7268604 advisory
https://www.ibm.com/support/pages/node/7268649 advisory
https://www.ibm.com/support/pages/node/7268725 advisory

Open in Interactive Console →