Storybook
CVE-2026-27148
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Browser-mediated reach to a running localhost dev server plus required malicious-site visit gives AV:N/AC:H/UI:R/PR:N; story-write breaking out to host RCE is a scope change (S:C) with full C/I/A impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
AnalysisAI
Cross-site WebSocket hijacking leading to persistent XSS and Remote Code Execution affects Storybook's dev server prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10. Because the dev server's story create/save WebSocket handlers fail to validate the connection origin and do not sanitize the componentFilePath field, a malicious website silently injects WebSocket messages into a developer's locally running instance to plant XSS or execute code; publicly exposed dev servers can be hit directly by any unauthenticated attacker. No public exploit identified at time of analysis, and EPSS is low at 0.17% (38th percentile), but the high CVSS 4.0 score of 8.9 and confirmed RCE impact make this a meaningful developer-workstation risk.
Technical ContextAI
Storybook is a Node.js-based frontend workshop for developing UI components in isolation; during development it runs a local dev server that exposes a WebSocket channel used by the UI to create and update stories on disk. The root cause is CWE-74 (improper neutralization of special elements / injection): the WebSocket handlers for the create-story and save-story operations accept the componentFilePath value without sanitization, and the WebSocket endpoint performs no origin validation. The missing origin check is the classic Cross-Site WebSocket Hijacking (CSWSH) pattern - browsers do not enforce same-origin policy on WebSocket handshakes, so any web page the developer visits can open a socket to localhost. Combined with the unsanitized path/content being written into story files, the injected payload yields persistent stored XSS in the Storybook UI and, because story files are evaluated in the Node dev-server/build context, escalates to arbitrary code execution on the developer host. The affected component is the storybook package on the node.js platform (cpe:2.3:a:storybook:storybook), spanning the 7.x, 8.x, 9.x, and 10.x release lines.
RemediationAI
Vendor-released patch: upgrade to Storybook 7.6.23, 8.6.17, 9.1.19, or 10.2.10 (whichever matches your major line) per the GitHub release notes (https://github.com/storybookjs/storybook/releases/tag/v10.2.10 and the v7.6.23, v8.6.17, v9.1.19 tags) and advisory GHSA-mjf5-7g4m-gx5w; the fixes landed in commits 0affdf92, 54689a8a, b8cfa77c, and d34085f3. Until patched, do not expose the Storybook dev server beyond localhost - bind it to 127.0.0.1 and avoid public exposure for design reviews/demos (trade-off: remote stakeholders must use a static production build or an authenticated VPN/tunnel instead). Run the dev server only while actively developing and shut it down otherwise to shrink the window in which a malicious site can reach it, and avoid browsing untrusted sites in the same browser session while it runs (trade-off: workflow friction). Where remote sharing is required, publish a static storybook build artifact rather than the live dev server, which is not affected.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mjf5-7g4m-gx5w