SB2026061985 - XSS via Meta component in React Router



SB2026061985 - XSS via Meta component in React Router

Published: June 19, 2026

Security Bulletin ID SB2026061985
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cross-site scripting (CVE-ID: CVE-2025-59057)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the Meta component's meta() API for script:ld+json tag generation when rendering untrusted content during server-side rendering in Framework Mode. A remote attacker can supply crafted content to execute arbitrary JavaScript in the victim's browser.

This issue affects Framework Mode and does not affect Declarative Mode or Data Mode.


Remediation

Install update from vendor's website.