Cyber Resilience

CVE-2026-27148

HighUpdated

Published: 25 February 2026

Published
25 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0128 66.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27148 is a high-severity Injection (CWE-74) vulnerability in Storybook Storybook. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27148 is a WebSocket hijacking vulnerability in Storybook, a frontend workshop for building UI components and pages in isolation. It affects the WebSocket functionality in Storybook's dev server, which is used to create and update stories, in versions prior to 7.6.23, 8.6.17, 9.1.19, and 10.2.10. The issue stems from a lack of origin validation for incoming WebSocket connections, combined with unsanitized input in the componentFilePath field of the message handlers for creating and saving stories. This enables injection attacks leading to persistent cross-site scripting (XSS) or remote code execution (RCE). Production builds are unaffected.

Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running on the default port, allowing the site to silently send WebSocket messages to the local instance without further interaction. Attackers can inject payloads via the componentFilePath field to achieve persistent XSS or RCE on the developer's machine. If the dev server is publicly exposed—for instance, for design reviews or stakeholder demos—any unauthenticated remote attacker can directly connect and send malicious messages, bypassing the need for a malicious site visit. The CVSS v3.1 score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), with associated CWEs-74 (Injection) and CWE-79 (XSS).

Mitigation is available in Storybook versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, which include fixes via commits such as 0affdf928bd6fafbadfb1dfe22ce6104805e10e8, 54689a8add18ea75d628c540f4bc677592a1e685, b8cfa77c73940c140acdcd8a06ab1ea913c44761, and d34085f39c647f5c23c3a3b2d197c18602fcf876. Security practitioners should advise developers to update to these patched versions, avoid exposing dev servers publicly, and exercise caution when visiting external sites during development sessions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking.…

more

This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability enables drive-by compromise via malicious site sending WebSocket payloads to local dev server (T1189), direct exploitation of exposed public-facing Storybook dev server (T1190), and client-side RCE via unsanitized input injection (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7332Shared CWE-79
CVE-2025-28917Shared CWE-79
CVE-2025-23994Shared CWE-79
CVE-2025-27500Shared CWE-79
CVE-2025-67984Shared CWE-79
CVE-2025-23881Shared CWE-79
CVE-2025-59057Shared CWE-79
CVE-2025-22570Shared CWE-79
CVE-2024-56267Shared CWE-79
CVE-2026-1931Shared CWE-79

Affected Assets

storybook
storybook
≤ 7.6.23 · 8.1.0 — 8.6.17 · 9.0.0 — 9.1.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of flaws in Storybook dev server directly mitigates the WebSocket hijacking and injection vulnerabilities through patching to fixed versions.

prevent

Information input validation at WebSocket message entry points prevents injection exploits via the unsanitized componentFilePath field leading to XSS or RCE.

prevent

Boundary protection monitors and controls communications to the dev server, enforcing origin validation and blocking unauthorized WebSocket connections from malicious sites or public exposure.

References