PatchSiren

storybookjs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW storybookjs CVE published 2026-05-20

CVE-2026-47099

CVE-2026-47099 is a DOM-based cross-site scripting issue in TeleJSON versions prior to 6.0.0. The problem is in the parse() flow used to recreate object prototypes: a malicious _constructor-name_ value can be passed into new Function() without sanitization, allowing attacker-controlled JavaScript to run when untrusted JSON is processed. The practical risk is highest in browser-facing applications that acc [truncated]

HIGH storybookjs CVE published 2026-02-25

CVE-2026-27148

CVE-2026-27148 is a high-severity vulnerability affecting Storybook's dev server, which could allow attackers to hijack WebSocket connections and potentially lead to Remote Code Execution (RCE) or Cross-Site Scripting (XSS) attacks. The vulnerability exists due to the WebSocket functionality in Storybook's dev server not validating the origin of incoming connections. This allows a malicious site to send W [truncated]