{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/react/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14802"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["create-react-app \u003c= 5.0.1","react-dev-utils"],"_cs_severities":["high"],"_cs_tags":["vulnerability","command-injection","macos","web-application"],"_cs_type":"advisory","_cs_vendors":["react"],"content_html":"\u003cp\u003eA significant OS command injection vulnerability, tracked as CVE-2026-14802, has been identified in \u003ccode\u003ereact create-react-app\u003c/code\u003e versions up to 5.0.1. This flaw specifically impacts macOS systems running development environments utilizing the \u003ccode\u003ereact-dev-utils\u003c/code\u003e component, particularly within the \u003ccode\u003estartBrowserProcess\u003c/code\u003e function found in \u003ccode\u003eopenBrowser.js\u003c/code\u003e. The vulnerability allows for remote exploitation, enabling an unauthenticated attacker to inject and execute arbitrary operating system commands. An exploit for this vulnerability is now publicly available, increasing the risk of widespread attacks against exposed development instances. This vulnerability was initially reported via an issue, but the project maintainers have not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker identifies a \u003ccode\u003ecreate-react-app\u003c/code\u003e development server, version 5.0.1 or earlier, running on a macOS machine and exposed to the network, often due to misconfiguration or lack of proper network segmentation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker determines that the exposed \u003ccode\u003ecreate-react-app\u003c/code\u003e instance is vulnerable to CVE-2026-14802, specifically targeting the \u003ccode\u003estartBrowserProcess\u003c/code\u003e function within the \u003ccode\u003ereact-dev-utils\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Injection\u003c/strong\u003e: The attacker crafts and sends a specially malicious request to the \u003ccode\u003ecreate-react-app\u003c/code\u003e development server, embedding OS commands within the input intended for the \u003ccode\u003estartBrowserProcess\u003c/code\u003e function in \u003ccode\u003eopenBrowser.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOS Command Execution\u003c/strong\u003e: The vulnerable \u003ccode\u003estartBrowserProcess\u003c/code\u003e function processes the unsanitized input, leading to the execution of the injected OS commands with the privileges of the running \u003ccode\u003ecreate-react-app\u003c/code\u003e process on the macOS system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery and Persistence\u003c/strong\u003e: The executed commands can then download and launch additional malicious payloads, such as reverse shells, infostealers, or ransomware, and establish persistence mechanisms on the compromised developer workstation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement and Data Exfiltration\u003c/strong\u003e: With control over the developer's machine, the attacker can move laterally within the network, access source code repositories, exfiltrate sensitive intellectual property, or steal credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14802 can lead to severe consequences for organizations. Attackers gaining control over a developer's workstation can compromise sensitive intellectual property, such as proprietary source code, design documents, and API keys. This can lead to data breaches, supply chain attacks if malicious code is injected into software projects, and unauthorized access to internal systems. The remote and unauthenticated nature of the vulnerability, coupled with the public availability of exploit code, increases the likelihood of rapid and widespread exploitation if development environments are not adequately secured.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch \u003ccode\u003ecreate-react-app\u003c/code\u003e\u003c/strong\u003e: Immediately update \u003ccode\u003ecreate-react-app\u003c/code\u003e to a version beyond 5.0.1 to remediate CVE-2026-14802.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIsolate Development Environments\u003c/strong\u003e: Ensure \u003ccode\u003ecreate-react-app\u003c/code\u003e development servers and other development tools are not exposed to untrusted networks and are properly segmented from production environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Endpoint Detection \u0026amp; Response (EDR)\u003c/strong\u003e: Deploy EDR solutions on all macOS developer workstations to monitor for suspicious process creation and network connections that may indicate exploitation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor for Public Exploits\u003c/strong\u003e: Actively monitor public sources, including the references listed in this brief, for new exploit details or proof-of-concepts related to CVE-2026-14802.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T08:23:22Z","date_published":"2026-07-06T08:23:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14802-react-create-react-app/","summary":"A high-severity OS command injection vulnerability (CVE-2026-14802) exists in `react create-react-app` up to version 5.0.1, specifically within the `startBrowserProcess` function of the `openBrowser.js` file in the `react-dev-utils` component, allowing for remote exploitation and arbitrary OS command execution on affected macOS development environments.","title":"CVE-2026-14802: Remote OS Command Injection in React Create React App","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14802-react-create-react-app/"}],"language":"en","title":"CraftedSignal Threat Feed - React","version":"https://jsonfeed.org/version/1.1"}