Cross-site request forgery in webpack-dev-server - CVE-2026-14620
Published: July 7, 2026
webpack-dev-server
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to cross-site request forgery in the /webpack-dev-server/open-editor and /webpack-dev-server/invalidate endpoints when handling cross-origin GET requests from a website visited by a developer while the dev server is running. A remote attacker can cause the victim's browser to send specially crafted requests to trigger editor launches and recompilations to cause a denial of service.
User interaction is required because the developer must visit a malicious website while the dev server is running. The issue can also cause an arbitrary existing local file to be opened in the developer's editor, including files outside the project root, but the file contents are not exposed to the attacker.