CVE-2026-14802

React · create-react-app

A command injection vulnerability in React create-react-app (up to version 5) allows remote attackers to execute arbitrary OS commands.

Executive summary

A vulnerability in React create-react-app allows for OS command injection, potentially leading to unauthorized system access and execution of arbitrary code.

Vulnerability

The software is vulnerable to CWE-78 (OS Command Injection) and CWE-77 (Command Injection). This allows an attacker to inject and execute system-level commands, potentially gaining control over the environment where the software is being utilized.

Business impact

The vulnerability is rated with a CVSS score of 7.3 (High). Successful exploitation could lead to a complete compromise of the build environment or developer workstation, potentially allowing for supply chain attacks, data exfiltration, or lateral movement within the corporate network.

Remediation

Immediate Action: Apply vendor security updates immediately. Users should check for the latest versions of create-react-app and migrate away from vulnerable versions up to 5.

Proactive Monitoring: Monitor build pipelines and development environments for unexpected process executions or unusual modifications to system configurations.

Compensating Controls: Ensure that build environments are isolated and run with the principle of least privilege to minimize the potential impact of command execution.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the risk to development and build environments, it is critical to update your dependencies and ensure that create-react-app is not running in an insecure state. Prioritize this update to maintain the integrity of your software development lifecycle.