SB2026070766 - Multiple vulnerabilities in webpack-dev-server
Published: July 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-14631)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the host-validation path when handling HTTP requests or WebSocket upgrade requests with malformed Host or Origin headers. A remote attacker can send a specially crafted request to cause a denial of service.
The issue can be triggered through a normal HTTP request or through a WebSocket upgrade to the default /ws endpoint.
2) Cross-site request forgery (CVE-ID: CVE-2026-14620)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to cross-site request forgery in the /webpack-dev-server/open-editor and /webpack-dev-server/invalidate endpoints when handling cross-origin GET requests from a website visited by a developer while the dev server is running. A remote attacker can cause the victim's browser to send specially crafted requests to trigger editor launches and recompilations to cause a denial of service.
User interaction is required because the developer must visit a malicious website while the dev server is running. The issue can also cause an arbitrary existing local file to be opened in the developer's editor, including files outside the project root, but the file contents are not exposed to the attacker.
Remediation
Install update from vendor's website.