Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/storybook@8.2.0-alpha.8

Type npm

Namespace

Name storybook

Version 8.2.0-alpha.8

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 8.6.17

Latest_non_vulnerable_version 10.2.10

Affected_by_vulnerabilities

url VCID-1kmh-kqac-g3cu

vulnerability_id VCID-1kmh-kqac-g3cu

summary Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix for the issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27148.json

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27148.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27148

reference_id

reference_type

scores

value	0.00075
scoring_system	epss
scoring_elements	0.22665
published_at	2026-06-11T12:55:00Z

value	0.00075
scoring_system	epss
scoring_elements	0.22861
published_at	2026-06-12T12:55:00Z

value	0.00237
scoring_system	epss
scoring_elements	0.47144
published_at	2026-06-14T12:55:00Z

value	0.00237
scoring_system	epss
scoring_elements	0.47161
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27148

reference_url

https://github.com/storybookjs/storybook

reference_id

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/storybookjs/storybook

reference_url

https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8

reference_id

0affdf928bd6fafbadfb1dfe22ce6104805e10e8

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/commit/0affdf928bd6fafbadfb1dfe22ce6104805e10e8

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2442784
reference_id	2442784
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2442784

reference_url

https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685

reference_id

54689a8add18ea75d628c540f4bc677592a1e685

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/commit/54689a8add18ea75d628c540f4bc677592a1e685

reference_url

https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761

reference_id

b8cfa77c73940c140acdcd8a06ab1ea913c44761

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/commit/b8cfa77c73940c140acdcd8a06ab1ea913c44761

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27148

reference_id

CVE-2026-27148

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27148

reference_url

https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876

reference_id

d34085f39c647f5c23c3a3b2d197c18602fcf876

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/commit/d34085f39c647f5c23c3a3b2d197c18602fcf876

reference_url

https://github.com/advisories/GHSA-mjf5-7g4m-gx5w

reference_id

GHSA-mjf5-7g4m-gx5w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mjf5-7g4m-gx5w

reference_url

https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w

reference_id

GHSA-mjf5-7g4m-gx5w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/security/advisories/GHSA-mjf5-7g4m-gx5w

reference_url

https://github.com/storybookjs/storybook/releases/tag/v10.2.10

reference_id

v10.2.10

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/releases/tag/v10.2.10

reference_url

https://github.com/storybookjs/storybook/releases/tag/v7.6.23

reference_id

v7.6.23

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/releases/tag/v7.6.23

reference_url

https://github.com/storybookjs/storybook/releases/tag/v8.6.17

reference_id

v8.6.17

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/releases/tag/v8.6.17

reference_url

https://github.com/storybookjs/storybook/releases/tag/v9.1.19

reference_id

v9.1.19

reference_type

scores

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:25:54Z/

url

https://github.com/storybookjs/storybook/releases/tag/v9.1.19

fixed_packages

url	pkg:npm/storybook@8.6.17
purl	pkg:npm/storybook@8.6.17
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/storybook@8.6.17

url	pkg:npm/storybook@9.1.19
purl	pkg:npm/storybook@9.1.19
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/storybook@9.1.19

url	pkg:npm/storybook@10.2.10
purl	pkg:npm/storybook@10.2.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/storybook@10.2.10

aliases CVE-2026-27148, GHSA-mjf5-7g4m-gx5w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1kmh-kqac-g3cu

url VCID-4q9d-1uux-nbf9

vulnerability_id VCID-4q9d-1uux-nbf9

summary Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook’s handling of environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle’s source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) and publish the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook—on both their local machines and CI environment—to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via `.env` files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with `STORYBOOK_` or use the `env` property in Storybook’s configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68429.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68429.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-68429

reference_id

reference_type

scores

value	0.00013
scoring_system	epss
scoring_elements	0.02056
published_at	2026-06-14T12:55:00Z

value	0.00013
scoring_system	epss
scoring_elements	0.02048
published_at	2026-06-13T12:55:00Z

value	0.00013
scoring_system	epss
scoring_elements	0.02049
published_at	2026-06-12T12:55:00Z

value	0.00013
scoring_system	epss
scoring_elements	0.02044
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-68429

reference_url

https://github.com/storybookjs/storybook

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/storybookjs/storybook

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2423460
reference_id	2423460
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2423460

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-68429

reference_id

CVE-2025-68429

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-68429

reference_url

https://github.com/advisories/GHSA-8452-54wp-rmv6

reference_id

GHSA-8452-54wp-rmv6

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8452-54wp-rmv6

reference_url

https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6

reference_id

GHSA-8452-54wp-rmv6

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:52:42Z/

url

https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6

reference_url	https://access.redhat.com/errata/RHSA-2026:2256
reference_id	RHSA-2026:2256
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2256

reference_url	https://access.redhat.com/errata/RHSA-2026:2500
reference_id	RHSA-2026:2500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2500

reference_url	https://access.redhat.com/errata/RHSA-2026:2737
reference_id	RHSA-2026:2737
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2737

reference_url

https://storybook.js.org/blog/security-advisory

reference_id

security-advisory

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-18T14:52:42Z/

url

https://storybook.js.org/blog/security-advisory

fixed_packages

url pkg:npm/storybook@8.6.15

purl pkg:npm/storybook@8.6.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1kmh-kqac-g3cu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/storybook@8.6.15

url pkg:npm/storybook@9.1.17

purl pkg:npm/storybook@9.1.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1kmh-kqac-g3cu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/storybook@9.1.17

url pkg:npm/storybook@10.1.10

purl pkg:npm/storybook@10.1.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1kmh-kqac-g3cu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/storybook@10.1.10

aliases CVE-2025-68429, GHSA-8452-54wp-rmv6

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4q9d-1uux-nbf9

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/storybook@8.2.0-alpha.8

Package Instance