CVE-2026-27148

CRITICALNVD 9.69.6
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.6 under NVD CVSS v3. EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: nvd
9.6
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 1%CVSS: 9.6Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

CVSS v3
9.6
EG Score
9.6(low)
EPSS
41.7%
KEV
Not listed

Published

February 25, 2026

Last Modified

June 30, 2026

Advisory Details (10)

Auto-updated Jun 30, 2026
Patch available. Sources: redhat, github_commit, github_release, github.
redhat Patch Available

cve-details

https://access.redhat.com/security/cve/CVE-2026-27148
github Patch Available

Storybook Dev Server Vulnerable to WebSocket Hijacking · Advisory · storybookjs/storybook · GitHub

https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w
github_release Patch Available

v9.1.19

Patch available: storybookjs/storybook v9.1.19

https://github.com/storybookjs/storybook/releases/tag/v9.1.19
github_release Patch Available

v8.6.17

Patch available: storybookjs/storybook v8.6.17

https://github.com/storybookjs/storybook/releases/tag/v8.6.17
github_release Patch Available

v7.6.23

Patch available: storybookjs/storybook v7.6.23

https://github.com/storybookjs/storybook/releases/tag/v7.6.23
github_release Patch Available

v10.2.10

Patch available: storybookjs/storybook v10.2.10

https://github.com/storybookjs/storybook/releases/tag/v10.2.10
github_commit

commit d34085f39c64 (storybookjs/storybook)

Fix landed in storybookjs/storybook commit d34085f39c64 — awaiting tagged release

https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876
github_commit

commit b8cfa77c7394 (storybookjs/storybook)

Fix landed in storybookjs/storybook commit b8cfa77c7394 — awaiting tagged release

https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761
github_commit

commit 54689a8add18 (storybookjs/storybook)

Fix landed in storybookjs/storybook commit 54689a8add18 — awaiting tagged release

https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685
github_commit

commit 0affdf928bd6 (storybookjs/storybook)

Fix landed in storybookjs/storybook commit 0affdf928bd6 — awaiting tagged release

https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8

Frequently asked(5)

What is CVE-2026-27148?
CVE-2026-27148 is a critical vulnerability published on February 25, 2026. Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability…
When was CVE-2026-27148 disclosed?
CVE-2026-27148 was first published in the National Vulnerability Database on February 25, 2026, with the most recent update on June 30, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-27148 actively exploited?
CVE-2026-27148 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 41.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-27148?
CVE-2026-27148 has a CVSS v3 base score of 9.6 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-27148?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-27148, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-27148

Explore →

Is Your Infrastructure Affected by CVE-2026-27148?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.