webpack-dev-server — CVE history (npm)

webpack-dev-server

5 CVEs affect the webpack-dev-server npm package (highest CVSS 7.5). Latest disclosed: 2026-06-15. Full CVE history sourced from NVD.

Summary

Package
webpack-dev-server (npm)
Total CVEs
5
Actively exploited (CISA KEV)
0
Highest CVSS
7.5
Latest disclosed
2026-06-15

Recent CVEs (top 5)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-9595Medium5.32026-06-15Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g.
CVE-2026-6402Medium5.32026-05-12webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP.
CVE-2025-30360Medium6.52025-06-03webpack-dev-server allows users to use webpack with a development server that provides live reloading.
CVE-2025-30359Medium5.32025-06-03webpack-dev-server allows users to use webpack with a development server that provides live reloading.
CVE-2018-14732High7.52018-09-21An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6.

All-time worst (top 5 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2018-14732High7.52018-09-21An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6.
CVE-2025-30360Medium6.52025-06-03webpack-dev-server allows users to use webpack with a development server that provides live reloading.
CVE-2026-9595Medium5.32026-06-15Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g.
CVE-2026-6402Medium5.32026-05-12webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP.
CVE-2025-30359Medium5.32025-06-03webpack-dev-server allows users to use webpack with a development server that provides live reloading.