Skip to main content

create-react-app CVE-2026-14802

| EUVDEUVD-2026-41815 MEDIUM
OS Command Injection (CWE-78)
2026-07-06 VulDB GHSA-g9g6-gvq9-j4vp
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

OS command injection enabling arbitrary code execution warrants C:H/I:H/A:H; dev server binds to network with no auth, so AV:N/PR:N/AC:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 06, 2026 - 08:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jul 06, 2026 - 07:53 vuln.today
CVE Published
Jul 06, 2026 - 06:30 cve.org
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-reachable CRA dev server on macOS
Delivery
Send crafted request triggering startBrowserProcess
Exploit
Inject OS commands via unsanitized browser parameter
Execution
Execute arbitrary commands as developer user
Impact
Exfiltrate secrets or establish persistence

Vulnerability AssessmentAI

Exploitation The target machine must be running macOS with create-react-app version 5.0.1 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) characterizes this as a zero-complexity, unauthenticated, network-exploitable vulnerability - the most dangerous access profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer running create-react-app's dev server on macOS on a local network with the server bound to a non-loopback interface receives a crafted network request that triggers the startBrowserProcess function with injected shell metacharacters in a browser-path or URL parameter. The unsanitized input is passed directly to a shell execution context in openBrowser.js, causing arbitrary OS commands to execute under the developer's account - potentially exfiltrating .env secrets, SSH keys, or establishing a reverse shell. …
Remediation No vendor-released patch has been identified at time of analysis - the project maintainers have not responded to the disclosed issue (https://github.com/react/create-react-app/issues/17269). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy