https://vulnerability.circl.lu/sightings/feed 2026-06-04T07:00:36.016570+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/2dfedbcc-bf75-4f0a-872e-02745e323f45/export 2026-06-04T07:00:36.389969+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "2dfedbcc-bf75-4f0a-872e-02745e323f45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42211", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mndiim3lfp2f", "content": "\ud83d\udfe0 CVE-2026-42211 - High (8.1)\n\nReact Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, ...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42211/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-02T21:01:25.605395Z"} 2026-06-02T21:01:25.605395+00:00 https://vulnerability.circl.lu/sighting/f1abc119-b899-4d6b-94bf-ddd3a22a3e64/export 2026-06-04T07:00:36.389837+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "f1abc119-b899-4d6b-94bf-ddd3a22a3e64", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42211", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mndqabi4xb2m", "content": "CVE-2026-42211 - React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE\nCVE ID : CVE-2026-42211\n \n Published : June 2, 2026, 8:16 p.m. | 2\u00a0hours, 57\u00a0minutes ago\n \n Description : React Router is a rou...", "creation_timestamp": "2026-06-02T23:19:55.179854Z"} 2026-06-02T23:19:55.179854+00:00 https://vulnerability.circl.lu/sighting/f593c105-eaf5-4e8e-9473-8bd27a68e875/export 2026-06-04T07:00:36.389663+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "f593c105-eaf5-4e8e-9473-8bd27a68e875", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42211", "type": "seen", "source": "https://gist.github.com/alon710/6d419a56b43f4ac63f23facb23062d82", "content": "# CVE-2026-42211: CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42211\n\n## Summary\nA critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.\n\n## TL;DR\nAn insecure deserialization vulnerability in React Router Framework Mode allows unauthenticated Remote Code Execution (RCE) when chained with prototype pollution.\n\n## Technical Details\n\n- **CWE ID**: CWE-502\n- **Attack Vector**: Network\n- **CVSS Score**: 8.1\n- **EPSS Score**: 0.00252\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- React Router v7 applications deployed in Framework Mode\n- **react-router**: >= 7.0.0, < 7.14.2 (Fixed in: `7.14.2`)\n\n## Mitigation\n\n- Upgrade react-router to version 7.14.2 or later\n- Launch Node.js with prototype mutation protections disabled (--disable-proto=throw)\n- Implement strict input validation on JSON/query payloads to prevent prototype pollution\n\n**Remediation Steps:**\n1. Identify any react-router installations in your package.json mapping to versions >= 7.0.0 and < 7.14.2\n2. Execute the appropriate package manager command to update (e.g., npm install react-router@latest)\n3. Optionally add the --disable-proto=throw flag to the Node.js startup command in production environments\n\n## References\n\n- [GitHub Security Advisory GHSA-49rj-9fvp-4h2h](https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h)\n- [NVD - CVE-2026-42211](https://nvd.nist.gov/vuln/detail/CVE-2026-42211)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42211) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T00:40:58.000000Z"} 2026-06-04T00:40:58+00:00 https://vulnerability.circl.lu/sighting/f6b27e5b-3d14-4b86-af18-5fab54acadee/export 2026-06-04T07:00:36.387621+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "f6b27e5b-3d14-4b86-af18-5fab54acadee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42211", "type": "seen", "source": "https://gist.github.com/alon710/cecab85d181ca5255e1b29e5e5dd0f30", "content": "# CVE-2026-42211: CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42211\n\n## Summary\nA critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.\n\n## TL;DR\nAn insecure deserialization vulnerability in React Router Framework Mode allows unauthenticated Remote Code Execution (RCE) when chained with prototype pollution.\n\n## Technical Details\n\n- **CWE ID**: CWE-502\n- **Attack Vector**: Network\n- **CVSS Score**: 8.1\n- **EPSS Score**: 0.00252\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- React Router v7 applications deployed in Framework Mode\n- **react-router**: >= 7.0.0, < 7.14.2 (Fixed in: `7.14.2`)\n\n## Mitigation\n\n- Upgrade react-router to version 7.14.2 or later\n- Launch Node.js with prototype mutation protections disabled (--disable-proto=throw)\n- Implement strict input validation on JSON/query payloads to prevent prototype pollution\n\n**Remediation Steps:**\n1. Identify any react-router installations in your package.json mapping to versions >= 7.0.0 and < 7.14.2\n2. Execute the appropriate package manager command to update (e.g., npm install react-router@latest)\n3. Optionally add the --disable-proto=throw flag to the Node.js startup command in production environments\n\n## References\n\n- [GitHub Security Advisory GHSA-49rj-9fvp-4h2h](https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h)\n- [NVD - CVE-2026-42211](https://nvd.nist.gov/vuln/detail/CVE-2026-42211)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42211) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T00:50:54.000000Z"} 2026-06-04T00:50:54+00:00