Cross-site request forgery in webpack-dev-server - CVE-2026-14620

 

Cross-site request forgery in webpack-dev-server - CVE-2026-14620

Published: July 7, 2026


Vulnerability identifier: #VU137027
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-14620
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: webpack
Affected software:
webpack-dev-server

Detailed vulnerability description

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to cross-site request forgery in the /webpack-dev-server/open-editor and /webpack-dev-server/invalidate endpoints when handling cross-origin GET requests from a website visited by a developer while the dev server is running. A remote attacker can cause the victim's browser to send specially crafted requests to trigger editor launches and recompilations to cause a denial of service.

User interaction is required because the developer must visit a malicious website while the dev server is running. The issue can also cause an arbitrary existing local file to be opened in the developer's editor, including files outside the project root, but the file contents are not exposed to the attacker.


How to mitigate CVE-2026-14620

Install security update from vendor's website.

Sources