Cross-Origin Source Code Exposure in webpack-dev-server by Webpack
CVE-2026-6402

5.3MEDIUM

Key Information:

Vendor: Webpack-dev-server
Status: Webpack-dev-server
Vendor: CVE Published:; 12 May 2026

🔔 Create Webpack-dev-server Vulnerability Alert

What is CVE-2026-6402?

The vulnerability in webpack-dev-server affects versions up to and including 5.2.3, allowing attackers to exploit cross-origin source code exposure when served over untrusted origins like plain HTTP. This issue arises from the inability of traditional security headers, such as Sec-Fetch-Mode and Sec-Fetch-Site, to be included in requests from non-trustworthy origins. Consequently, an attacker can manipulate a website to retrieve application source code from a developer's machine running the vulnerable server configuration. It is crucial to upgrade to webpack-dev-server version 5.2.4 or later to implement the Cross-Origin-Resource-Policy: same-origin on responses, mitigating this risk effectively.

Affected Version(s)

webpack-dev-server 0 < 5.2.4

webpack-dev-server 5.2.4

References

https://github.com/webpack/webpack-dev-server/security/ad...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

sapphi-red

Ulises Gascón

Sebastian Beltran

Alexander Akait

CVE-2026-6402 Data

JSON