Product
A high-severity OS command injection vulnerability (CVE-2026-14802) exists in `react create-react-app` up to version 5.0.1, specifically within the `startBrowserProcess` function of the `openBrowser.js` file in the `react-dev-utils` component, allowing for remote exploitation and arbitrary OS command execution on affected macOS development environments.