CVE-2026-14802
React · create-react-app
A command injection vulnerability in React create-react-app (up to version 5) allows remote attackers to execute arbitrary OS commands.
Executive summary
A vulnerability in React create-react-app allows for OS command injection, potentially leading to unauthorized system access and execution of arbitrary code.
Vulnerability
The software is vulnerable to CWE-78 (OS Command Injection) and CWE-77 (Command Injection). This allows an attacker to inject and execute system-level commands, potentially gaining control over the environment where the software is being utilized.
Business impact
The vulnerability is rated with a CVSS score of 7.3 (High). Successful exploitation could lead to a complete compromise of the build environment or developer workstation, potentially allowing for supply chain attacks, data exfiltration, or lateral movement within the corporate network.
Remediation
Immediate Action: Apply vendor security updates immediately. Users should check for the latest versions of create-react-app and migrate away from vulnerable versions up to 5.
Proactive Monitoring: Monitor build pipelines and development environments for unexpected process executions or unusual modifications to system configurations.
Compensating Controls: Ensure that build environments are isolated and run with the principle of least privilege to minimize the potential impact of command execution.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Given the risk to development and build environments, it is critical to update your dependencies and ensure that create-react-app is not running in an insecure state. Prioritize this update to maintain the integrity of your software development lifecycle.