CVE-2026-49144

CVE-2026-49144 : BrowserStack Runner 0.9.5 contains a path traversal vulnerability in the _default HTTP handler (lib/server.js) that allows unauthenticated attackers on the network-adjacent interface to read arbitrary files outside the project root. The description notes an unauthenticated HTTP s...

CVE-2026-49143 BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-49143

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-49143 BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-49143

CVE-2026-49143 affects BrowserStack Runner up to version 0.9.5. The vulnerability is in the /_log HTTP handler, permitting unauthenticated, network-adjacent attackers to achieve remote code execution by sending crafted JSON bodies that are passed to vm.runInNewContext() with eval(); attackers can...

BrowserStack Runner 代码注入漏洞

BrowserStack Runner is an open-source browser testing command-line tool developed by BrowserStack. Versions of BrowserStack Runner prior to 0.9.5 contained a code injection vulnerability. This vulnerability stems from the log HTTP handler, where data provided by users is passed to...

PT-2026-45857

Name of the Vulnerable Software and Affected Versions BrowserStack Runner versions prior to 0.9.6 Description An issue in the / log HTTP handler allows unauthenticated network-adjacent attackers to execute arbitrary code on the host system. The handler processes JSON request bodies by passing...

BrowserStack Runner 路径遍历漏洞

BrowserStack Runner is an open-source browser testing command-line tool developed by BrowserStack. Versions of BrowserStack Runner prior to 0.9.5 contained a path traversal vulnerability. This vulnerability originated from the default HTTP handler in lib/server.js, which allowed for path traversa...

CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

CVE-2026-25244

CVE-2026-25244 affects WebdriverIO versions below 9.24.0, specifically the @wdio/browserstack-service during test orchestration. The root cause is user-controlled git branch names being interpolated directly into execSync() calls within getGitMetadataForAISelection() without sanitization, enablin...

@elliemae/pui-e2e-test-sdk (>=11.0.0 <=12.2.0), froth-webdriverio-framework (>=9.0.5-ytlc3.0 <=9.0.5-ytlc7.0) potentially affected by CVE-2026-25244 via @wdio/browserstack-service (>=9.12.7 <=9.23.0)

@wdio/browserstack-service NPM version =9.12.7, =11.0.0, =9.0.5-ytlc3.0, =9.0.5-ytlc7.0 Source cves: CVE-2026-25244 Source advisory: SNYK:JS-WDIOBROWSERSTACKSERVICE-16642116...

GHSA-5C46-X3QW-Q7J7 WebdriverIO BrowserStack Service has a Command Injection issue

Summary A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution RCE when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection...

WebdriverIO BrowserStack Service has a Command Injection issue

Summary A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution RCE when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection...

Command Injection

Overview @wdio/browserstack-service is a WebdriverIO service for better Browserstack integration Affected versions of this package are vulnerable to Command Injection via the getGitMetadataForAISelection function. An attacker can execute arbitrary commands on the host system by supplying a...

PT-2026-39872

Name of the Vulnerable Software and Affected Versions WebdriverIO versions prior to 9.24.0 Description A command injection issue exists in @wdio/browserstack-service that allows remote code execution. The problem occurs during test orchestration when processing git branch names. An attacker can...

Malicious code in browserstack-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a2272bbaadf2917d37e4659f060875d56de205e1b5f21ad56605c07eadfa33e The package browserstack-utils was found to contain malicious code...

MAL-2026-2730 Malicious code in browserstack-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a2272bbaadf2917d37e4659f060875d56de205e1b5f21ad56605c07eadfa33e The package browserstack-utils was found to contain malicious code...

MAL-2026-2243 Malicious code in browserstack-electron-forge-include-package-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e23283b4b946444b885ae39acf12ae0ca55ddd864863df70b0fcf84f5c5c57b3 The package browserstack-electron-forge-include-package-plugin was found to contain malicious code. Source: ossf-package-analysis...

CVE-2025-57283

A flaw was found in browserstack-local. Improper input sanitization of the logfile variable allows an attacker to inject arbitrary OS commands that are executed when this variable is processed, resulting in arbitrary command execution. Mitigation To mitigate this issue, implement strict input...