CVE Catalog

CVE-2026-27148

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.54%

41th percentile - higher than 41% of all known CVEs

Summary

Storybook prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contains a WebSocket hijacking vulnerability in the dev server. Lack of origin validation allows an attacker to send malicious WebSocket messages, leading to persistent XSS or Remote Code Execution (RCE) via unsanitized componentFilePath input.

Risk Assessment

The risk for the organization is the potential takeover of a developer's local dev server, which could lead to data theft, code modification, or further attacks on the developer's infrastructure. If the server is publicly exposed, the risk is higher as no user interaction is required.

Recommendation

Immediately update Storybook to version 7.6.23, 8.6.17, 9.1.19, or 10.2.10. Additionally, avoid exposing the dev server publicly and implement origin validation for WebSocket connections.

Original NVD description (English source)

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS