Cross-site scripting in Remix - CVE-2025-59057
Published: June 19, 2026
Vulnerability identifier: #VU134931
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-59057
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Remix
Affected software:
Remix
Remix
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the Meta component's meta() API for script:ld+json tag generation when rendering untrusted content during server-side rendering in Framework Mode. A remote attacker can supply crafted content to execute arbitrary JavaScript in the victim's browser.
This issue affects Framework Mode and does not affect Declarative Mode or Data Mode.
How to mitigate CVE-2025-59057
Install security update from vendor's website.