Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-42211— React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

CVSS 8.1 · High

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

VendorProductVersion RangeStatus
remix-runreact-router>= 7.0.0, < 7.14.2affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42211

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
Source: NVD (National Vulnerability Database)
Vulnerability Description
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
remix-runreact-router >= 7.0.0, < 7.14.2 -

II. Public POCs for CVE-2026-42211

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8246 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-42211

登录查看更多情报信息。

Vendor Advisories for CVE-2026-42211 (1)

Same Patch Batch · remix-run · 2026-06-02 · 6 CVEs total

CVE-2026-332458.0 HIGHReact Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect
CVE-2026-423427.5 HIGHReact Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
CVE-2026-340777.5 HIGHReact Router vulnerable to Denial of Service via reflected user input in single-fetch
CVE-2026-332445.4 MEDIUMReact Router has stored XSS via unescaped Location header in prerendered redirect HTML
CVE-2026-40181React Router's same-origin redirect with path starting // causes open redirect via protoco

IV. Related Vulnerabilities

Same product: react-router
Same vendor: remix-run
Same weakness: CWE-502

V. Comments for CVE-2026-42211

No comments yet

Leave a comment