Webpack.js Webpack-dev-server — known CVE vulnerabilities
Every CVE whose affected-product data names Webpack.js Webpack-dev-server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (7)
CVE-2018-14732 — CVSS 7.5 (high): An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the…
CVE-2025-30360 — CVSS 6.5 (medium): webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1…
CVE-2026-9595 — CVSS 5.3 (medium): Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g. /) and ws: true, it also intercepts the dev server's…
CVE-2025-30359 — CVSS 5.3 (medium): webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1…
CVE-2026-14631 — CVSS 5.3 (medium): webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP…
CVE-2026-6402 — CVSS 5.3 (medium): webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a…
CVE-2026-14620 — CVSS 4.7 (medium): webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and…