#VU124088 Code Injection in React Router and Remix - CVE-2026-21884
Published: March 18, 2026 / Updated: March 19, 2026
Vulnerability identifier: #VU124088
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-21884
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
React Router
Remix
React Router
Remix
Software vendor:
Remix
Remix
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within API in Framework Mode when using the getKey/storageKey props during server-side rendering. A remote attacker can pass specially crafted request and execute arbitrary JavaScript code during SSR if untrusted content is used to generate the keys.
Successful exploitation of this vulnerability requires that server-side rendering in Framework Mode is enabled.
Remediation
Install updates from vendor's website.