Description
A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-07-06
Score: 6.9 Medium
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the startBrowserProcess function within openBrowser.js of react-dev-utils, a component of create‑react‑app. On macOS systems, manipulated input can be injected into the operating system command that the function executes, enabling an attacker to run arbitrary commands with the privileges of the node process. The description explicitly states that remote exploitation is possible and that public exploits are available. This weakness falls under CWE‑77 and CWE‑78, signifying improper validation of command arguments and insecure command execution.

Affected Systems

The affected vendor is React for the create‑react‑app package. Versions up to and including 5.0.1 are impacted, as documented in the CVE description. Users of this package on macOS should be aware that any installation that has not yet been updated to a later release is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of 1% shows a low exploitation probability at the time of analysis, yet the fact that a public exploit exists raises the practical risk. The vulnerability is not listed in the CISA KEV catalog, but the exposed attack surface can be leveraged from a remote context, particularly on development environments that automatically launch browsers.

Generated by OpenCVE AI on July 6, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade create-react-app to a version newer than 5.0.1 where the command injection is fixed.
  • If an upgrade is not immediately possible, run the development server with the --no-open flag or otherwise disable the automatic browser launch to eliminate the vulnerable function.
  • Monitor system logs for unexpected process creation or command execution that originates from the startBrowserProcess script, and block or sandbox such activity if anomaly is detected.

Generated by OpenCVE AI on July 6, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Facebook
Facebook create-react-app
Vendors & Products Facebook
Facebook create-react-app

Mon, 06 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in react create-react-app up to 5.0.1 on macOS. This affects the function startBrowserProcess of the file openBrowser.js of the component react-dev-utils. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title react create-react-app react-dev-utils openBrowser.js startBrowserProcess os command injection
First Time appeared React
React create-react-app
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:react:create-react-app:*:*:*:*:*:*:*:*
Vendors & Products React
React create-react-app
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Facebook Create-react-app
React Create-react-app
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T15:17:49.174Z

Reserved: 2026-07-05T19:11:13.568Z

Link: CVE-2026-14802

cve-icon Vulnrichment

Updated: 2026-07-06T15:17:25.824Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T22:15:15Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')