mediumCVE-2026-14620

CVE-2026-14620 webpack-dev-server vulnerability

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any website a developer visits while the dev server is running can trigger these endpoints cross-origin with no interaction beyond the visit. An attacker can open an arbitrary existing local file in the developer's editor, including files outside the project root, and repeated requests can spawn editor processes and force recompilations that degrade the developer's machine. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: none.

Productwebpack-dev-server
CVSS4.7
EPSSNot scored yet
UpdatedJuly 14, 2026

Quick answer

webpack.js webpack-dev-server should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • 5.2.5 and earlier

Fixed versions

  • 5.2.6

How to fix it

CVE-2026-14620 affects webpack-dev-server. It can let a remote page or request crash the dev server or trigger unsafe developer actions. Upgrade to 5.2.6 and keep dev servers off untrusted networks.

  1. Find projects that depend on webpack-dev-server.
  2. Check package-lock, yarn.lock, pnpm-lock, and package.json versions.
  3. Upgrade webpack-dev-server to 5.2.6 or newer.
  4. Reinstall dependencies and commit the lockfile change.
  5. Keep the dev server bound to localhost unless a trusted tunnel is required.
  6. Do not expose dev servers to the internet or shared office networks.
  7. Restart the dev server after the package update.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Run npm ls webpack-dev-server and confirm 5.2.6 or newer.
  • Confirm the lockfile no longer resolves to an older version.
  • Start the dev server and confirm it binds only to localhost.
  • Retest the development workflow after the update.
  • Record the package version and lockfile change as evidence.

Trusted references

FAQ

What is affected by CVE-2026-14620?

webpack.js webpack-dev-server versions listed as affected should be reviewed: 5.2.5 and earlier.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.