CVE-2026-14802
Received Received - Intake

Command Injection in React Create React App

Vulnerability report for CVE-2026-14802, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
react create-react-app to 5.0.1 (inc)
react react-dev-utils 12.0.1
react react-dev-utils 11.0.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-14802 vulnerability is an OS command injection flaw found in the startBrowserProcess function of the openBrowser.js file within the react-dev-utils package used by react create-react-app. The issue arises because URLs passed to this function are improperly sanitized using encodeURI, which does not escape shell-significant characters such as $, (, and ). When these URLs are executed in a shell command, the shell expands command substitutions, allowing an attacker to execute arbitrary commands on the system.

This vulnerability allows remote exploitation by controlling the URL passed to the openBrowser function, potentially leading to remote code execution on a developer's workstation. A proof of concept demonstrates this by injecting a payload that creates a file on the system, confirming the ability to run arbitrary commands.

Impact Analysis

This vulnerability can have serious impacts, especially for developers using react create-react-app on macOS. An attacker who can influence the URL passed to the vulnerable function can execute arbitrary commands on the developer's machine remotely.

  • Remote Code Execution (RCE) on the developer's workstation.
  • Potential compromise of development environments, including access to sensitive files or credentials.
  • Execution of malicious commands that could alter or damage the system.
  • Risk to millions of developers if malicious URLs are introduced via .env files, middleware, or shared development environments.
Detection Guidance

This vulnerability can be detected by checking for the presence of the vulnerable version of the react-dev-utils package, specifically version 12.0.1, which contains the OS command injection flaw in the startBrowserProcess function of openBrowser.js.

A practical detection method is to look for evidence of exploitation attempts by searching for files created by the Proof of Concept (PoC) payload, such as the file /tmp/RCE_VERIFIED, which indicates that the command injection was successful.

You can use the following command on macOS or Linux systems to check if the PoC file exists, which would confirm exploitation:

  • ls -l /tmp/RCE_VERIFIED

Additionally, you can search your project dependencies to identify if react-dev-utils version 12.0.1 is installed by running:

  • npm ls react-dev-utils

Monitoring shell command executions triggered by URLs containing shell-significant characters like $, (, and ) in development environments may also help detect attempts to exploit this vulnerability.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable react-dev-utils version 12.0.1 and any create-react-app versions up to 5.0.1 on macOS.

Since the project has not yet responded with a patch, you should consider the following actions:

  • Remove or restrict any untrusted input that could be passed as URLs to the openBrowser function to prevent command injection.
  • Avoid opening URLs from untrusted sources in development environments using create-react-app.
  • Monitor and audit your development environment for suspicious files or processes that could indicate exploitation.
  • Consider migrating to alternative React frameworks or tools that do not rely on the vulnerable package, as recommended by the community.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart