What is the severity of CVE-2026-21884?

CVE-2026-21884 has a CVSS v3 score of 8.2, which is classified as High severity.

Is there an exploit available for CVE-2026-21884?

No known public exploits are currently available for CVE-2026-21884.

Is there a patch available for CVE-2026-21884?

Yes, patches are available for CVE-2026-21884. Check the vendor advisories for update instructions.

CVE-2026-21884

Q: What is CVE-2026-21884?

A XSS vulnerability exists in in React Router's ` ` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. > [!NOTE] > This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (` `) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/` `).

Published: January 28, 2026

Last updated:21 hours ago (January 28, 2026)

Exploit: NoZero-day: NoPatch: YesTrend: Neutral

TL;DR

Updated January 28, 2026

CVE-2026-21884 is a high severity vulnerability with a CVSS score of 8.2. No known exploits currently, and patches are available.

Key Points

1High severity (CVSS 8.2/10)
2No known public exploits
3Vendor patches are available
4Strobes Priority Score: 596/1000 (Medium)

Severity Scores

CVSS v38.2

CVSS v20.0

Priority Score596.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

8.2

CVSS

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

[!NOTE] This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Required

Scope:Changed

Confidentiality:High

Integrity:Local

Availability:Network

Trend Analysis

Neutral

Advisories

GitHub Advisory NVD

Cite This Page

APA Format

Strobes VI. (2026). CVE-2026-21884 - CVE Details and Analysis. Strobes VI. Retrieved January 29, 2026, from https://vi.strobes.co/cve/CVE-2026-21884

Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.