PT-2026-55575 · Npm · Webpack-Dev-Server

Bjohansebas

+2

·

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-14620

CVSS v3.1

4.7

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions webpack-dev-server versions prior to 5.2.6
Description Internal developer endpoints '/webpack-dev-server/open-editor' and '/webpack-dev-server/invalidate' perform state-changing actions on GET requests without verifying the request origin. This allows any website visited by a developer to trigger these endpoints cross-origin. An attacker can open arbitrary local files in the developer's editor, including those outside the project root. Additionally, repeated requests can spawn multiple editor processes and force recompilations, leading to system performance degradation.
Recommendations Upgrade to webpack-dev-server 5.2.6.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14620

Affected Products

Webpack-Dev-Server