SCA: security update for storybook (GHSA-mjf5-7g4m-gx5w)

high Tenable Self-Hosted Container Security Plugin ID 438129

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to
versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used
to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the
Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a
malicious website while their local Storybook dev server is running. Because the WebSocket connection does
not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to
the local instance without any further user interaction. If the Storybook dev server is intentionally
exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site
visit is required. Any unauthenticated attacker can send WebSocket messages to it directly. The
vulnerability affects the WebSocket message handlers for creating and saving stories. Both are vulnerable
to injection via unsanitized input in the componentFilePath field, which can be exploited to achieve
persistent XSS or Remote Code Execution (RCE). Versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10 contain a fix
for the issue. (CVE-2026-27148)

See Also

https://github.com/advisories/GHSA-mjf5-7g4m-gx5w

Plugin Details

Severity: High

ID: 438129

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/3/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.16

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-27148

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.9

Threat Score: 5.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/26/2026

Vulnerability Publication Date: 2/25/2026

Reference Information

CVE: CVE-2026-27148