Skip to main content

Storybook CVE-2026-27148

HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-02-25 security-advisories@github.com GHSA-mjf5-7g4m-gx5w
8.9
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Browser-mediated reach to a running localhost dev server plus required malicious-site visit gives AV:N/AC:H/UI:R/PR:N; story-write breaking out to host RCE is a scope change (S:C) with full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 05:20 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:19 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:19 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:17 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:23 NVD
CRITICAL HIGH
CVSS changed
Jun 30, 2026 - 03:23 NVD
9.6 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 10, 2026 - 19:21 nvd
Patch available
CVE Published
Feb 25, 2026 - 22:16 nvd
CRITICAL 9.6

DescriptionCVE.org

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

AnalysisAI

Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.

Technical ContextAI

Storybook is a Node.js-based frontend workshop for developing UI components in isolation; during development it runs a local dev server that exposes a WebSocket channel used by the UI to create and update stories on disk. The root cause is CWE-74 (improper neutralization of special elements / injection): the WebSocket handlers for the create-story and save-story operations accept the componentFilePath value without sanitization, and the WebSocket endpoint performs no origin validation. The missing origin check is the classic Cross-Site WebSocket Hijacking (CSWSH) pattern - browsers do not enforce same-origin policy on WebSocket handshakes, so any web page the developer visits can open a socket to localhost. Combined with the unsanitized path/content being written into story files, the injected payload yields persistent stored XSS in the Storybook UI and, because story files are evaluated in the Node dev-server/build context, escalates to arbitrary code execution on the developer host. The affected component is the storybook package on the node.js platform (cpe:2.3:a:storybook:storybook), spanning the 7.x, 8.x, 9.x, and 10.x release lines.

RemediationAI

Vendor-released patch: upgrade to Storybook 7.6.23, 8.6.17, 9.1.19, or 10.2.10 (whichever matches your major line) per the GitHub release notes (https://github.com/storybookjs/storybook/releases/tag/v10.2.10 and the v7.6.23, v8.6.17, v9.1.19 tags) and advisory GHSA-mjf5-7g4m-gx5w; the fixes landed in commits 0affdf92, 54689a8a, b8cfa77c, and d34085f3. Until patched, do not expose the Storybook dev server beyond localhost - bind it to 127.0.0.1 and avoid public exposure for design reviews/demos (trade-off: remote stakeholders must use a static production build or an authenticated VPN/tunnel instead). Run the dev server only while actively developing and shut it down otherwise to shrink the window in which a malicious site can reach it, and avoid browsing untrusted sites in the same browser session while it runs (trade-off: workflow friction). Where remote sharing is required, publish a static storybook build artifact rather than the live dev server, which is not affected.

Vendor StatusVendor

Share

CVE-2026-27148 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy