@tumaet/webapp-3.0.0.tgz: 5 vulnerabilities (highest severity is: 8.2) #306
Description
Vulnerable Library - @tumaet/webapp-3.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: dda3fbb299a276271fab349192c1d4710e3e571d
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@tumaet/webapp version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-21884 |  High |
8.2 | react-router-7.5.2.tgz | Transitive | N/A* | ❌ |
| CVE-2026-22029 | High |
8.0 | react-router-7.5.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-59057 | High |
7.6 | react-router-7.5.2.tgz | Transitive | N/A* | ❌ |
| CVE-2026-22030 |  Medium |
6.5 | react-router-7.5.2.tgz | Transitive | N/A* | ❌ |
| CVE-2025-68470 | Medium |
6.5 | react-router-7.5.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-21884
Vulnerable Library - react-router-7.5.2.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @tumaet/webapp-3.0.0.tgz (Root Library)
- ❌ react-router-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: dda3fbb299a276271fab349192c1d4710e3e571d
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-21884
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8v8x-cx79-35w7
Release Date: 2026-01-09
Fix Resolution: @remix-run/react - 2.17.3,https://github.com/remix-run/react-router.git - create-react-router@7.12.0,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
CVE-2026-22029
Vulnerable Library - react-router-7.5.2.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @tumaet/webapp-3.0.0.tgz (Root Library)
- ❌ react-router-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: dda3fbb299a276271fab349192c1d4710e3e571d
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode () is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22029
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-2w69-qvjg-hvjx
Release Date: 2026-01-08
Fix Resolution: https://github.com/remix-run/react-router.git - react-router@7.12.0,@remix-run/router - 1.23.2,https://github.com/remix-run/react-router.git - @remix-run/router@1.23.2,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
CVE-2025-59057
Vulnerable Library - react-router-7.5.2.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @tumaet/webapp-3.0.0.tgz (Root Library)
- ❌ react-router-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: dda3fbb299a276271fab349192c1d4710e3e571d
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Publish Date: 2026-01-10
URL: CVE-2025-59057
CVSS 3 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-3cgp-3xvw-98x8
Release Date: 2026-01-09
Fix Resolution: https://github.com/remix-run/react-router.git - react-router@7.9.0,react-router - 7.9.0
Step up your Open Source Security Game with Mend here
CVE-2026-22030
Vulnerable Library - react-router-7.5.2.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @tumaet/webapp-3.0.0.tgz (Root Library)
- ❌ react-router-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: dda3fbb299a276271fab349192c1d4710e3e571d
Found in base branch: main
Vulnerability Details
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Publish Date: 2026-01-10
URL: CVE-2026-22030
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-h5cw-625j-3rxh
Release Date: 2026-01-09
Fix Resolution: @remix-run/server-runtime - 2.17.3,react-router - 7.12.0
Step up your Open Source Security Game with Mend here
CVE-2025-68470
Vulnerable Library - react-router-7.5.2.tgz
Declarative routing for React
Library home page: https://registry.npmjs.org/react-router/-/react-router-7.5.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @tumaet/webapp-3.0.0.tgz (Root Library)
- ❌ react-router-7.5.2.tgz (Vulnerable Library)
Found in HEAD commit: dda3fbb299a276271fab349192c1d4710e3e571d
Found in base branch: main
Vulnerability Details
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Publish Date: 2026-01-10
URL: CVE-2025-68470
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9jcx-v3wj-wh4m
Release Date: 2026-01-08
Fix Resolution: https://github.com/remix-run/react-router.git - create-react-router@6.30.2,https://github.com/remix-run/react-router.git - create-react-router@7.9.6,react-router - 7.9.6,react-router - 6.30.2
Step up your Open Source Security Game with Mend here