By vendor

Shopify vulnerabilities

Known CVEs affecting Shopify products, prioritized by severity, with SEC.co remediation and detection guidance.

6 published vulnerabilities

  • CVE-2026-42211HIGH 8.1

    React Router versions 7.0.0 through 7.14.1 contain a high-severity vulnerability that could enable remote code execution when using Framework Mode. The attack is two-stage: it requires an application to already contain a prototype pollution flaw, which an attacker can then exploit to trigger unauthorized code execution on the server. Applications using the library's Declarative Mode or Data Mode routing are unaffected. The vulnerability was patched in version 7.14.2.

  • CVE-2026-33245HIGH 8.0

    React Router, a widely-used routing library for React applications, contains a cross-site scripting (XSS) vulnerability in its experimental React Server Components (RSC) feature. Versions 7.7.0 through 7.13.1 are affected. If an attacker can influence redirect instructions sent to your application—for example, through a compromised backend endpoint or man-in-the-middle scenario—malicious code could execute in users' browsers. The vulnerability is limited to applications actively using the unstable RSC APIs; standard React Router implementations are not impacted. A patch is available in version 7.13.2.

  • CVE-2026-34077HIGH 7.5

    React Router versions 7.7.0 through 7.13.1 contain a client-side Cross-Site Scripting (XSS) vulnerability when using the unstable React Server Components (RSC) APIs. If an application accepts redirect parameters from untrusted sources and processes them through React Router's RSC redirect handling, an attacker could inject malicious scripts that execute in users' browsers. The vulnerability does not affect applications that do not use the unstable RSC APIs. Shopify's React Router package released patch version 7.13.2 to address this issue.

  • CVE-2026-42342HIGH 7.5

    React Router and Remix applications using Framework Mode are vulnerable to a denial-of-service attack via crafted requests that exploit unbounded path expansion in the __manifest endpoint. An unauthenticated attacker can send specially constructed requests that cause the server to consume excessive resources, slowing response times or rendering the application unavailable to legitimate users. This does not affect applications built with Declarative Mode or Data Mode routing patterns.

  • CVE-2026-40181MEDIUM 6.1

    React Router, a widely-used navigation library for React applications, contains an open redirect vulnerability in specific versions. When certain URLs are passed to the redirect function, the library can inadvertently send users to an external website controlled by an attacker. This happens because paths beginning with double slashes (//) are misinterpreted as protocol-relative URLs, allowing an attacker to craft a malicious URL that bypasses the intended redirect destination. The vulnerability only affects applications using the programmatic redirect function; applications built with React Router's declarative mode (using <BrowserRouter>) are not impacted. The severity of the risk depends on how thoroughly the application validates URLs before redirecting.

  • CVE-2026-33244MEDIUM 5.4

    React Router versions 7.5.1 through 7.13.1 contain a cross-site scripting (XSS) vulnerability when used in Framework Mode with pre-rendering. If your application redirects users to untrusted URLs and generates static HTML files during build time, attackers can inject malicious scripts into those pre-rendered pages. This vulnerability does not affect applications using the more common Declarative Mode or Data Mode routing approaches. The issue has been fixed in version 7.13.2.