CVE-2026-14620 - Medium Severity Vulnerability
Vulnerable Library - webpack-dev-server-3.10.3.tgz
Serves a webpack app. Updates the browser on changes.
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-3.10.3.tgz
Path to dependency file: /client/package.json
Path to vulnerable library: /client/node_modules/webpack-dev-server/package.json
Dependency Hierarchy:
- react-scripts-3.4.1.tgz (Root Library)
- ❌ webpack-dev-server-3.10.3.tgz (Vulnerable Library)
Found in HEAD commit: 82d6429ed19093dbc56c092123fe7358b66c67b7
Found in base branch: master
Vulnerability Details
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.
Publish Date: 2026-07-03
URL: CVE-2026-14620
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5vj-f2hx-8m93
Release Date: 2026-07-03
Fix Resolution: webpack-dev-server - 5.2.6
Step up your Open Source Security Game with Mend here
CVE-2026-14620 - Medium Severity Vulnerability
Serves a webpack app. Updates the browser on changes.
Library home page: https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-3.10.3.tgz
Path to dependency file: /client/package.json
Path to vulnerable library: /client/node_modules/webpack-dev-server/package.json
Dependency Hierarchy:
Found in HEAD commit: 82d6429ed19093dbc56c092123fe7358b66c67b7
Found in base branch: master
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.
Publish Date: 2026-07-03
URL: CVE-2026-14620
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-f5vj-f2hx-8m93
Release Date: 2026-07-03
Fix Resolution: webpack-dev-server - 5.2.6
Step up your Open Source Security Game with Mend here