CVE-2026-27148

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8	Patch
https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685	Patch
https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761	Patch
https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876	Patch
https://github.com/storybookjs/storybook/releases/tag/v10.2.10	Release Notes
https://github.com/storybookjs/storybook/releases/tag/v7.6.23	Release Notes
https://github.com/storybookjs/storybook/releases/tag/v8.6.17	Release Notes
https://github.com/storybookjs/storybook/releases/tag/v9.1.19	Release Notes
https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:storybook:storybook::::::node.js::*
	cpe:2.3:a:storybook:storybook::::::node.js::*
	cpe:2.3:a:storybook:storybook::::::node.js::*
	cpe:2.3:a:storybook:storybook::::::node.js::*

History

10 Mar 2026, 19:21

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.6
References	~~() https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8 -~~	() https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8 - Patch
References	~~() https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685 -~~	() https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685 - Patch
References	~~() https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761 -~~	() https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761 - Patch
References	~~() https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876 -~~	() https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876 - Patch
References	~~() https://github.com/storybookjs/storybook/releases/tag/v10.2.10 -~~	() https://github.com/storybookjs/storybook/releases/tag/v10.2.10 - Release Notes
References	~~() https://github.com/storybookjs/storybook/releases/tag/v7.6.23 -~~	() https://github.com/storybookjs/storybook/releases/tag/v7.6.23 - Release Notes
References	~~() https://github.com/storybookjs/storybook/releases/tag/v8.6.17 -~~	() https://github.com/storybookjs/storybook/releases/tag/v8.6.17 - Release Notes
References	~~() https://github.com/storybookjs/storybook/releases/tag/v9.1.19 -~~	() https://github.com/storybookjs/storybook/releases/tag/v9.1.19 - Release Notes
References	~~() https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w -~~	() https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w - Vendor Advisory
CPE		cpe:2.3:a:storybook:storybook::::::node.js::*
First Time		Storybook Storybook storybook

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) Storybook es un taller de frontend para construir componentes de interfaz de usuario y páginas de forma aislada. Anteriormente a las versiones 7.6.23, 8.6.17, 9.1.19 y 10.2.10, la funcionalidad WebSocket en el servidor de desarrollo de Storybook, utilizada para crear y actualizar historias, es vulnerable a secuestro de WebSocket. Esta vulnerabilidad solo afecta al servidor de desarrollo de Storybook; las compilaciones de producción no se ven afectadas. La explotación requiere que un desarrollador visite un sitio web malicioso mientras su servidor de desarrollo local de Storybook está en ejecución. Debido a que la conexión WebSocket no valida el origen de las conexiones entrantes, un sitio malicioso puede enviar silenciosamente mensajes WebSocket a la instancia local sin ninguna interacción adicional del usuario. Si el servidor de desarrollo de Storybook se expone intencionalmente al público (por ejemplo, para revisiones de diseño o demostraciones a partes interesadas) el riesgo es mayor, ya que no se requiere la visita a un sitio malicioso. Cualquier atacante no autenticado puede enviarle mensajes WebSocket directamente. La vulnerabilidad afecta a los manejadores de mensajes WebSocket para crear y guardar historias. Ambos son vulnerables a la inyección a través de entrada no saneada en el campo componentFilePath, lo que puede ser explotado para lograr XSS persistente o Ejecución Remota de Código (RCE). Las versiones 7.6.23, 8.6.17, 9.1.19 y 10.2.10 contienen una solución para el problema.

25 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 22:16

Updated : 2026-03-10 19:21

NVD link : CVE-2026-27148

Mitre link : CVE-2026-27148

CVE.ORG link : CVE-2026-27148

JSON object : View

Products Affected

storybook

storybook

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

9.6 /10