CVE-2026-27148
Published: 25 February 2026
Summary
CVE-2026-27148 is a high-severity Injection (CWE-74) vulnerability in Storybook Storybook. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 33.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27148 is a WebSocket hijacking vulnerability in Storybook, a frontend workshop for building UI components and pages in isolation. It affects the WebSocket functionality in Storybook's dev server, which is used to create and update stories, in versions prior to 7.6.23, 8.6.17, 9.1.19, and 10.2.10. The issue stems from a lack of origin validation for incoming WebSocket connections, combined with unsanitized input in the componentFilePath field of the message handlers for creating and saving stories. This enables injection attacks leading to persistent cross-site scripting (XSS) or remote code execution (RCE). Production builds are unaffected.
Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running on the default port, allowing the site to silently send WebSocket messages to the local instance without further interaction. Attackers can inject payloads via the componentFilePath field to achieve persistent XSS or RCE on the developer's machine. If the dev server is publicly exposed—for instance, for design reviews or stakeholder demos—any unauthenticated remote attacker can directly connect and send malicious messages, bypassing the need for a malicious site visit. The CVSS v3.1 score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), with associated CWEs-74 (Injection) and CWE-79 (XSS).
Mitigation is available in Storybook versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, which include fixes via commits such as 0affdf928bd6fafbadfb1dfe22ce6104805e10e8, 54689a8add18ea75d628c540f4bc677592a1e685, b8cfa77c73940c140acdcd8a06ab1ea913c44761, and d34085f39c647f5c23c3a3b2d197c18602fcf876. Security practitioners should advise developers to update to these patched versions, avoid exposing dev servers publicly, and exercise caution when visiting external sites during development sessions.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8750
Vulnerability details
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking.…
more
This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables drive-by compromise via malicious site sending WebSocket payloads to local dev server (T1189), direct exploitation of exposed public-facing Storybook dev server (T1190), and client-side RCE via unsanitized input injection (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely identification, reporting, and correction of flaws in Storybook dev server directly mitigates the WebSocket hijacking and injection vulnerabilities through patching to fixed versions.
Information input validation at WebSocket message entry points prevents injection exploits via the unsanitized componentFilePath field leading to XSS or RCE.
Boundary protection monitors and controls communications to the dev server, enforcing origin validation and blocking unauthorized WebSocket connections from malicious sites or public exposure.