CVE-2026-27148 (GCVE-0-2026-27148)
Vulnerability from cvelistv5
Published
2026-02-25 21:46
Modified
2026-02-26 20:26
Severity ?
8.9 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE
  • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
References
Impacted products
Vendor Product Version
storybookjs storybook Version: < 7.6.23
Version: >= 8.1.0, < 8.6.17
Version: >= 9.0.0, < 9.1.19
Version: >= 10.0.0, < 10.2.10
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T20:25:54.835671Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T20:26:14.136Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "storybook",
          "vendor": "storybookjs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.6.23"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.1.0, \u003c 8.6.17"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.1.19"
            },
            {
              "status": "affected",
              "version": "\u003e= 10.0.0, \u003c 10.2.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook\u0027s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T21:46:48.967Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"
        },
        {
          "name": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8"
        },
        {
          "name": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685"
        },
        {
          "name": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761"
        },
        {
          "name": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876"
        },
        {
          "name": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10"
        },
        {
          "name": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23"
        },
        {
          "name": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17"
        },
        {
          "name": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19"
        }
      ],
      "source": {
        "advisory": "GHSA-mjf5-7g4m-gx5w",
        "discovery": "UNKNOWN"
      },
      "title": "Storybook Dev Server Vulnerable to WebSocket Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27148",
    "datePublished": "2026-02-25T21:46:48.967Z",
    "dateReserved": "2026-02-18T00:18:53.961Z",
    "dateUpdated": "2026-02-26T20:26:14.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27148\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-26T20:25:54.835671Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-26T20:26:08.712Z\"}}], \"cna\": {\"title\": \"Storybook Dev Server Vulnerable to WebSocket Hijacking\", \"source\": {\"advisory\": \"GHSA-mjf5-7g4m-gx5w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"storybookjs\", \"product\": \"storybook\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.6.23\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.1.0, \u003c 8.6.17\"}, {\"status\": \"affected\", \"version\": \"\u003e= 9.0.0, \u003c 9.1.19\"}, {\"status\": \"affected\", \"version\": \"\u003e= 10.0.0, \u003c 10.2.10\"}]}], \"references\": [{\"url\": \"https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w\", \"name\": \"https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8\", \"name\": \"https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685\", \"name\": \"https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761\", \"name\": \"https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876\", \"name\": \"https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/releases/tag/v10.2.10\", \"name\": \"https://github.com/storybookjs/storybook/releases/tag/v10.2.10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/releases/tag/v7.6.23\", \"name\": \"https://github.com/storybookjs/storybook/releases/tag/v7.6.23\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/releases/tag/v8.6.17\", \"name\": \"https://github.com/storybookjs/storybook/releases/tag/v8.6.17\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/storybookjs/storybook/releases/tag/v9.1.19\", \"name\": \"https://github.com/storybookjs/storybook/releases/tag/v9.1.19\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook\u0027s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-25T21:46:48.967Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27148\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T20:26:14.136Z\", \"dateReserved\": \"2026-02-18T00:18:53.961Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-25T21:46:48.967Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.