Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.
CVE-2026-27148
This critical-severity CVE scores 9.6 under NVD CVSS v3. EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.6
- EG Score
- 9.6(low)
- EPSS
- 41.7%
- KEV
- Not listed
Published
February 25, 2026
Last Modified
June 30, 2026
Advisory Details (10)
Auto-updated Jun 30, 2026Storybook Dev Server Vulnerable to WebSocket Hijacking · Advisory · storybookjs/storybook · GitHub
https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5wv9.1.19
Patch available: storybookjs/storybook v9.1.19
https://github.com/storybookjs/storybook/releases/tag/v9.1.19v8.6.17
Patch available: storybookjs/storybook v8.6.17
https://github.com/storybookjs/storybook/releases/tag/v8.6.17v7.6.23
Patch available: storybookjs/storybook v7.6.23
https://github.com/storybookjs/storybook/releases/tag/v7.6.23v10.2.10
Patch available: storybookjs/storybook v10.2.10
https://github.com/storybookjs/storybook/releases/tag/v10.2.10commit d34085f39c64 (storybookjs/storybook)
Fix landed in storybookjs/storybook commit d34085f39c64 — awaiting tagged release
https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876commit b8cfa77c7394 (storybookjs/storybook)
Fix landed in storybookjs/storybook commit b8cfa77c7394 — awaiting tagged release
https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761commit 54689a8add18 (storybookjs/storybook)
Fix landed in storybookjs/storybook commit 54689a8add18 — awaiting tagged release
https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685commit 0affdf928bd6 (storybookjs/storybook)
Fix landed in storybookjs/storybook commit 0affdf928bd6 — awaiting tagged release
https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-27148?
When was CVE-2026-27148 disclosed?
Is CVE-2026-27148 actively exploited?
What is the CVSS score of CVE-2026-27148?
How do I remediate CVE-2026-27148?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-27148
Is Your Infrastructure Affected by CVE-2026-27148?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.