CVE-2026-53663

ADVISORY - github

Summary

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

EPSS Score⁠: 0.00016 (0.037)

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-352⁠

Cross-Site Request Forgery (CSRF)

Impacted images

Advisories

GitHub

CREATED

3 days ago

UPDATED

3 days ago

ADVISORY IDGHSA-84g9-w2xq-vcv6⁠

EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-352⁠

CVSS SCORE

3.1low

Chainguard

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY ID

CGA-mxwc-vww2-3q6q

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY