CVE-2026-14620
Last modified
CVE-2026-14620 is a medium-severity vulnerability rated 4.7/10 on the CVSS scale. webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. EPSS estimates a 0.12% chance of exploitation in the next 30 days.
Description
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Webpack.Js | Webpack-Dev-Server | < 5.2.6 |
References
- https://cna.openjsf.org/security-advisories.htmlThird Party Advisory
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-f5vj-f2hx-8m93Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-14620?
How severe is CVE-2026-14620?
How do I fix CVE-2026-14620?
Related CVEs from 2026
- CVE-2026-14614A flaw was found in the ClientResource component of Keycloak…5.4
- CVE-2026-14615A flaw was found in the Fine-Grained Admin Permissions (FGAP…4.3
- CVE-2026-14617A security vulnerability has been detected in NousResearch h…3.1
- CVE-2026-14618A vulnerability was detected in Open5GS up to 2.7.7. Affecte…4.3
- CVE-2026-14619A flaw has been found in itsourcecode Hospital Management Sy…6.3
- CVE-2026-1462A vulnerability in the `TFSMLayer` class of the `keras` pack…8.8
- CVE-2026-14621A vulnerability has been found in FederatedAI FATE up to 2.2…3.1
- CVE-2026-14622A vulnerability was found in jairiidriss restaurant-website-…7.3
- CVE-2026-14623A vulnerability was determined in omec-project amf up to 2.1…4.3
- CVE-2026-14624A vulnerability was identified in omec-project amf up to 2.0…4.3
- CVE-2026-14625A security flaw has been discovered in NousResearch hermes-a…6.3
- CVE-2026-14626A weakness has been identified in NousResearch hermes-agent …4.3
Are you affected by CVE-2026-14620?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
