PT-2026-55871 · Unknown · Create-React-App+1

Dremig

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-14802

CVSS v2.0

7.5

High

VectorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions create-react-app versions prior to 5.0.2
Description On macOS, the startBrowserProcess() function within the openBrowser.js file of the react-dev-utils component allows for OS command injection. This issue enables remote exploitation through the manipulation of the specified function.
Recommendations As a temporary workaround, restrict the use of the startBrowserProcess() function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14802

Affected Products

Create-React-App
React-Dev-Utils