MEDIUM
webpack-dev-server
CVE published 2026-06-15
CVE-2026-9595
CVE-2026-9595 is a security vulnerability in webpack-dev-server that allows an attacker to bypass security features and leak sensitive information. When a user-configured proxy on webpack-dev-server has a broad context (e.g., /) and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasse [truncated]