ByteOS Network

NVD Vulnerability Details :

CVE-2026-27148

Awaiting Analysis

Source-security-advisories@github.com

Published At-25 Feb, 2026 | 22:16

Updated At-27 Feb, 2026 | 14:06

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.9	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 8.9

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-74	Primary	security-advisories@github.com
CWE-79	Primary	security-advisories@github.com

CWE ID: CWE-74

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-79

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/releases/tag/v10.2.10	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/releases/tag/v7.6.23	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/releases/tag/v8.6.17	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/releases/tag/v9.1.19	security-advisories@github.com	N/A
https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w	security-advisories@github.com	N/A