FKIE_CVE-2026-27148

Vulnerability from fkie_nvd - Published: 2026-02-25 22:16 - Updated: 2026-02-27 14:06
Severity ?
8.9 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
References
security-advisories@github.comhttps://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8
security-advisories@github.comhttps://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685
security-advisories@github.comhttps://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761
security-advisories@github.comhttps://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876
security-advisories@github.comhttps://github.com/storybookjs/storybook/releases/tag/v10.2.10
security-advisories@github.comhttps://github.com/storybookjs/storybook/releases/tag/v7.6.23
security-advisories@github.comhttps://github.com/storybookjs/storybook/releases/tag/v8.6.17
security-advisories@github.comhttps://github.com/storybookjs/storybook/releases/tag/v9.1.19
security-advisories@github.comhttps://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook\u0027s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue."
    },
    {
      "lang": "es",
      "value": "Storybook es un taller de frontend para construir componentes de interfaz de usuario y p\u00e1ginas de forma aislada. Anteriormente a las versiones 7.6.23, 8.6.17, 9.1.19 y 10.2.10, la funcionalidad WebSocket en el servidor de desarrollo de Storybook, utilizada para crear y actualizar historias, es vulnerable a secuestro de WebSocket. Esta vulnerabilidad solo afecta al servidor de desarrollo de Storybook; las compilaciones de producci\u00f3n no se ven afectadas. La explotaci\u00f3n requiere que un desarrollador visite un sitio web malicioso mientras su servidor de desarrollo local de Storybook est\u00e1 en ejecuci\u00f3n. Debido a que la conexi\u00f3n WebSocket no valida el origen de las conexiones entrantes, un sitio malicioso puede enviar silenciosamente mensajes WebSocket a la instancia local sin ninguna interacci\u00f3n adicional del usuario. Si el servidor de desarrollo de Storybook se expone intencionalmente al p\u00fablico (por ejemplo, para revisiones de dise\u00f1o o demostraciones a partes interesadas) el riesgo es mayor, ya que no se requiere la visita a un sitio malicioso. Cualquier atacante no autenticado puede enviarle mensajes WebSocket directamente. La vulnerabilidad afecta a los manejadores de mensajes WebSocket para crear y guardar historias. Ambos son vulnerables a la inyecci\u00f3n a trav\u00e9s de entrada no saneada en el campo componentFilePath, lo que puede ser explotado para lograr XSS persistente o Ejecuci\u00f3n Remota de C\u00f3digo (RCE). Las versiones 7.6.23, 8.6.17, 9.1.19 y 10.2.10 contienen una soluci\u00f3n para el problema."
    }
  ],
  "id": "CVE-2026-27148",
  "lastModified": "2026-02-27T14:06:59.787",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.9,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-25T22:16:25.317",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v10.2.10"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v7.6.23"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v8.6.17"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/releases/tag/v9.1.19"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        },
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.