#VU124817 Improper Neutralization of Special Elements in Output Used by a Downstream Component in Storybook - CVE-2026-27148
Published: April 2, 2026
Vulnerability identifier: #VU124817
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2026-27148
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Storybook
Storybook
Software vendor:
Storybook
Storybook
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. A remote unauthenticated attacker can trick the victim into visiting a malicious website while their local Storybook dev server is running.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
External links
- https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8
- https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685
- https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761
- https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876
- https://github.com/storybookjs/storybook/releases/tag/v10.2.10
- https://github.com/storybookjs/storybook/releases/tag/v7.6.23
- https://github.com/storybookjs/storybook/releases/tag/v8.6.17
- https://github.com/storybookjs/storybook/releases/tag/v9.1.19
- https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w