๐Ÿ” CVE Alert

CVE-2026-14620

MEDIUM 4.7

webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints

CVSS Score
4.7
EPSS Score
0.0%
EPSS Percentile
0th

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.

CWE CWE-352 CWE-749
Vendor webpack-dev-server
Product webpack-dev-server
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for webpack-dev-server webpack-dev-server

Be the first to know when new medium vulnerabilities affecting webpack-dev-server webpack-dev-server are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

webpack-dev-server / webpack-dev-server
0 < 5.2.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-f5vj-f2hx-8m93 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

๐Ÿ” Pig-Tail bjohansebas UlisesGascon