CVE-2026-21884 is a cross-site scripting (XSS) vulnerability categorized under CWE-79 that affects the React Router library, specifically versions @remix-run/react prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. The vulnerability arises in the <ScrollRestoration> API when used in Framework Mode with Server-Side Rendering (SSR), particularly when the getKey or storageKey properties are utilized to generate keys. During SSR, if these keys are generated from untrusted or unsanitized input, an attacker can inject malicious JavaScript code that executes on the server side, potentially compromising the application's integrity and leaking sensitive data. This issue is confined to SSR in Framework Mode; applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected. The vulnerability does not impact applications that disable SSR in Framework Mode. The flaw allows remote attackers to execute arbitrary scripts without requiring authentication, though user interaction is necessary to trigger the vulnerability. The CVSS v3.1 score of 8.2 reflects a high severity due to the potential confidentiality impact and the ease of exploitation over the network without privileges. No known exploits have been reported in the wild as of the publication date. The issue has been addressed in @remix-run/react version 2.17.3 and react-router version 7.12.0, where proper input neutralization and sanitization have been implemented to prevent malicious script injection during SSR key generation.

The primary impact of this vulnerability is the potential for arbitrary JavaScript execution during server-side rendering, which can lead to several security risks including theft of sensitive data, session hijacking, and unauthorized actions performed on behalf of users. Since React Router is widely used in modern web applications built with React, many organizations relying on SSR in Framework Mode with vulnerable versions are at risk. Exploitation could compromise the confidentiality and integrity of web applications, potentially allowing attackers to manipulate rendered content or steal user credentials. Although availability is not directly affected, the breach of trust and data exposure can have severe reputational and financial consequences. The vulnerability's network accessibility and lack of required privileges increase the risk profile, especially for public-facing web applications. Organizations that do not use SSR in Framework Mode or use other routing modes are not impacted, reducing the overall attack surface. However, given the popularity of React and React Router in enterprise and consumer web applications, the scope of affected systems is significant worldwide.

Organizations should immediately upgrade to @remix-run/react version 2.17.3 or later and react-router version 7.12.0 or later to apply the official patch that addresses this vulnerability. For applications that rely on SSR in Framework Mode, review and sanitize all inputs used in getKey and storageKey props to ensure no untrusted data is used for key generation. Implement strict Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. Conduct thorough code audits focusing on SSR implementations and routing configurations to identify any unsafe usage patterns. If upgrading is not immediately feasible, consider disabling SSR in Framework Mode or switching to Declarative or Data Mode routing temporarily to mitigate exposure. Additionally, monitor application logs and network traffic for unusual activity that could indicate attempted exploitation. Educate development teams about secure coding practices related to SSR and input handling in React applications to prevent similar issues.