Main Vulnerability Database Vulnerabilities #VU134926

Deserialization of Untrusted Data in React Router - CVE-2026-42211

Published: June 19, 2026

Vulnerability identifier: #VU134926

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-42211

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Remix

Affected software:
React Router

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in React Router framework mode when handling external requests in an application that also contains an existing prototype pollution vulnerability. A remote attacker can send crafted external requests to execute arbitrary code.

Exploitation requires chaining with a pre-existing prototype pollution vulnerability in the application code and affects framework mode only.

How to mitigate CVE-2026-42211

Install security update from vendor's website.

Sources

https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h

Deserialization of Untrusted Data in React Router - CVE-2026-42211

Detailed vulnerability description

How to mitigate CVE-2026-42211

Sources

Please verify you're human