{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27148", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T00:18:53.961Z", "datePublished": "2026-02-25T21:46:48.967Z", "dateUpdated": "2026-02-25T21:46:48.967Z"}, "containers": {"cna": {"title": "Storybook Dev Server Vulnerable to WebSocket Hijacking", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"}, {"name": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8"}, {"name": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685"}, {"name": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761"}, {"name": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876"}, {"name": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10"}, {"name": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23"}, {"name": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17"}, {"name": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19", "tags": ["x_refsource_MISC"], "url": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19"}], "affected": [{"vendor": "storybookjs", "product": "storybook", "versions": [{"version": "< 7.6.23", "status": "affected"}, {"version": ">= 8.1.0, < 8.6.17", "status": "affected"}, {"version": ">= 9.0.0, < 9.1.19", "status": "affected"}, {"version": ">= 10.0.0, < 10.2.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T21:46:48.967Z"}, "descriptions": [{"lang": "en", "value": "Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue."}], "source": {"advisory": "GHSA-mjf5-7g4m-gx5w", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue."}], "id": "CVE-2026-27148", "lastModified": "2026-02-25T22:16:25.317", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T22:16:25.317", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19"}, {"source": "security-advisories@github.com", "url": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "storybook: Storybook: Remote Code Execution via WebSocket Hijacking", "id": "2442784", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442784"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-346", "details": ["No description is available for this CVE."], "name": "CVE-2026-27148", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-02-25T21:46:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27148\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27148\nhttps://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8\nhttps://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685\nhttps://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761\nhttps://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876\nhttps://github.com/storybookjs/storybook/releases/tag/v10.2.10\nhttps://github.com/storybookjs/storybook/releases/tag/v7.6.23\nhttps://github.com/storybookjs/storybook/releases/tag/v8.6.17\nhttps://github.com/storybookjs/storybook/releases/tag/v9.1.19\nhttps://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"], "statement": "This vulnerability affects the Storybook development server, which is not intended for production deployments. Exploitation typically requires a developer to visit a malicious website while their local Storybook dev server is active. If the dev server is publicly exposed, unauthenticated attackers can directly interact with it, potentially leading to persistent cross-site scripting (XSS) or remote code execution (RCE). This primarily impacts development environments using Storybook within Red Hat AMQ, Red Hat Enterprise Linux, Red Hat In-Vehicle OS, and Community Projects.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.6.23)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,8.6.17)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.1.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.2.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "storybook", "source": "cna", "vendor": "storybookjs"}, "product": "storybook", "vendor": "storybookjs"}], "created": "2026-02-26T13:10:49.655296+00:00", "updated": "2026-02-26T13:10:49.655381+00:00", "vendors": ["storybookjs", "storybookjs$PRODUCT$storybook"]}