SB2026051243 - Exposed dangerous method or function in webpack-dev-server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051243

SB2026051243 - Exposed dangerous method or function in webpack-dev-server

Published: May 12, 2026

Security Bulletin ID SB2026051243
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Exposed dangerous method or function (CVE-ID: CVE-2026-6402)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper restriction of dangerous functionality in dev server JavaScript bundle access controls when handling cross-origin requests from malicious websites over a non-HTTPS origin. A remote attacker can load the dev server's JavaScript bundles and intercept the webpack runtime's module registration to disclose sensitive information.

User interaction is required to visit a malicious website, and exploitation requires knowledge of the dev server host, port, and output path.


Remediation

Install update from vendor's website.

References