WebSocket Security Flaw in Storybook Development Server Affects User Interface Components
CVE-2026-27148

8.9HIGH

Key Information:

Vendor

Storybookjs

Status
Storybook
Vendor
CVE Published:
25 February 2026

What is CVE-2026-27148?

The Storybook development server contains a vulnerability in its WebSocket functionality, which can be exploited by malicious websites to hijack connections. This allows an attacker to send harmful WebSocket messages without user interaction when the developer's local server is running. The issue is exacerbated if the dev server is publicly exposed for demos or reviews, enabling unauthenticated attackers to interact directly with the server. The vulnerabilities primarily affect the handling of WebSocket messages for creating and saving stories, where unsanitized inputs can lead to persistent XSS or Remote Code Execution. Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 have been patched to mitigate this risk.

Affected Version(s)

storybook < 7.6.23 < 7.6.23

storybook >= 8.1.0, < 8.6.17 < 8.1.0, 8.6.17

storybook >= 9.0.0, < 9.1.19 < 9.0.0, 9.1.19

References

https://github.com/storybookjs/storybook/security/advisor...
x_refsource_CONFIRM
https://github.com/storybookjs/storybook/commit/0affdf928...
x_refsource_MISC
https://github.com/storybookjs/storybook/commit/54689a8ad...
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.