Lucene search
K

90 matches found

RedhatCVE
RedhatCVE
added 2026/07/06 10:47 a.m.8 views

CVE-2026-14631

A flaw was found in webpack-dev-server. An unauthenticated remote attacker could send a specially crafted HTTP request with a malformed Host header or a WebSocket upgrade with a malformed Origin header. This malformed input causes an uncaught exception, leading to the termination of the Node.js...

5.3CVSS5.9AI score0.00308EPSS
Exploits0References5
Snyk
Snyk
added 2026/07/03 7:13 p.m.5 views

Improper Input Validation

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Improper Input Validation through the host-validation process. An attacker can cause the server to...

6.9CVSS6AI score0.00308EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 6:16 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the open-editor and invalidate endpoints. An attacker can open...

5.3CVSS6AI score0.00116EPSS
Exploits0References2
NVD
NVD
added 2026/07/03 6:16 p.m.10 views

CVE-2026-14631

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS0.00308EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/03 5:23 p.m.7 views

CVE-2026-14631

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS6AI score0.00308EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/03 5:23 p.m.42 views

CVE-2026-14631 webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS0.00308EPSS
Exploits0References2
OSV
OSV
added 2026/07/03 5:23 p.m.4 views

CVE-2026-14631 webpack-dev-server vulnerable to denial of service via a malformed Host or Origin header

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught...

5.3CVSS6.1AI score0.00308EPSS
Exploits0References4
NVD
NVD
added 2026/07/03 5:16 p.m.9 views

CVE-2026-14620

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...

4.7CVSS0.00116EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/03 5:0 p.m.42 views

CVE-2026-14620 webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...

4.7CVSS0.00116EPSS
Exploits0References2
CVE
CVE
added 2026/07/03 5:0 p.m.31 views

CVE-2026-14620

webpack-dev-server prior to 5.2.6 exposes two internal endpoints (/webpack-dev-server/open-editor and /webpack-dev-server/invalidate) that perform state-changing actions on any GET request without origin verification. This enables cross-origin interactions when a user visits any website while the...

4.7CVSS6.1AI score0.00116EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/03 5:0 p.m.4 views

CVE-2026-14620 webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...

4.7CVSS6.1AI score0.00116EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/02 9:42 a.m.14 views

CVE-2026-9595

A flaw was found in webpack-dev-server. When a user configures a proxy with a broad context, such as '/', and enables WebSocket ws: true forwarding, the development server's own Hot Module Replacement HMR WebSocket can be intercepted. This interception leads to the leakage of the browser's cookie...

7.1CVSS5.7AI score0.00163EPSS
Exploits0References8
OSV
OSV
added 2026/06/30 5:13 a.m.8 views

ROOT-APP-NPM-CVE-2025-30359 CVE-2025-30359 in @rootio/webpack-dev-server - Patched by Root

Root has patched CVE-2025-30359 in the @rootio/webpack-dev-server package for Root:npm. Multiple fixed versions available...

5.9CVSS5.8AI score0.00427EPSS
Exploits1
OSV
OSV
added 2026/06/30 5:13 a.m.6 views

ROOT-APP-NPM-CVE-2025-30360 CVE-2025-30360 in @rootio/webpack-dev-server - Patched by Root

Root has patched CVE-2025-30360 in the @rootio/webpack-dev-server package for Root:npm. Multiple fixed versions available...

6.5CVSS5.8AI score0.00289EPSS
Exploits1
OSV
OSV
added 2026/06/30 5:13 a.m.9 views

ROOT-APP-NPM-CVE-2026-6402 CVE-2026-6402 in @rootio/webpack-dev-server - Patched by Root

Root has patched CVE-2026-6402 in the @rootio/webpack-dev-server package for Root:npm. Multiple fixed versions available...

6.5CVSS5.3AI score0.00216EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.26 views

Linux Distros Unpatched Vulnerability : CVE-2026-9595

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and...

5.3CVSS6AI score0.00163EPSS
Exploits0References3
OSV
OSV
added 2026/06/17 6:13 p.m.8 views

GHSA-MX8G-39Q3-5C79 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

5.3CVSS5.4AI score0.00163EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/17 6:13 p.m.15 views

EUVD-2026-36729

webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies...

5.3CVSS5.2AI score0.00163EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/15 5:39 p.m.10 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via permissive user proxy configurations that inclu...

7.1CVSS5.9AI score0.00163EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:39 p.m.9 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via permissive user proxy...

7.1CVSS5.9AI score0.00163EPSS
Exploits0References2
Rows per page
Query Builder