Back to overview

CVE-2026-14620

MEDIUM
4.7
CVSS 3.1
Description
webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.

Metadata

CVE ID
CVE-2026-14620
State
PUBLISHED
Assigner
openjs
Reserved
2026-07-03 16:50 UTC
Published
2026-07-03 17:00 UTC
Last updated
2026-07-03 17:00 UTC
Primary CWE
CWE-352
CWE-352: Cross-Site Request Forgery (CSRF)
Vendor / Product
webpack-dev-server / webpack-dev-server
Sources
cve.org  ·  NVD

Severity & Metrics

4.7 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Affected products (1)
VendorProductPlatformVersions
webpack-dev-server webpack-dev-server 0 < 5.2.6, 5.2.6
Weakness (CWE)
CWESourceDescription
CWE-352 cna CWE-352: Cross-Site Request Forgery (CSRF)
CWE-749 cna CWE-749: Exposed Dangerous Method or Function
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.7 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L
Back to overview