Skip to main content

Create React App

1 CVEs product

Monthly

CVE-2026-14802 MEDIUM POC This Month

OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched.

Command Injection Apple Create React App
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
1.3%
EPSS 1% CVSS 5.5
MEDIUM POC This Month

OS command injection in create-react-app's react-dev-utils component enables remote code execution on macOS developer workstations running version 5.0.1 or earlier. The vulnerability resides in the startBrowserProcess function of openBrowser.js, which processes unsanitized input that reaches a shell invocation. A publicly available proof-of-concept exploit exists via the project's GitHub issue tracker; no vendor patch has been released and the maintainers have not responded to disclosure, leaving the entire supported version history of this widely-used but now-archived tool permanently unpatched.

Command Injection Apple Create React App
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy