CVE-2026-21884: React Router SSR XSS in ScrollRestoration

January 8, 2026 (updated January 11, 2026)

A XSS vulnerability exists in in React Router’s <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

[!NOTE] This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

References

github.com/advisories/GHSA-8v8x-cx79-35w7
github.com/remix-run/react-router
github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7
nvd.nist.gov/vuln/detail/CVE-2026-21884

Code Behaviors & Features

Detect and mitigate CVE-2026-21884 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →