209 matches found
@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)
@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...
@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)
@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...
CVE-2026-25244
A flaw was found in WebdriverIO. A remote attacker can exploit a command injection vulnerability by crafting a malicious Git repository with a specially named branch. This branch name, containing shell metacharacters, is unsafely processed during test orchestration. This allows for remote code...
CVE-2026-25244
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...
CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...
CVE-2026-25244
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...
EUVD-2026-30805
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...
CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...
CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...
CVE-2026-25244
CVE-2026-25244 affects WebdriverIO versions below 9.24.0, specifically the @wdio/browserstack-service during test orchestration. The root cause is user-controlled git branch names being interpolated directly into execSync() calls within getGitMetadataForAISelection() without sanitization, enablin...
webdriverio 操作系统命令注入漏洞
WebdriverIO is an open-source automation testing framework for browsers and mobile devices developed by WebdriverIO. Versions of WebdriverIO prior to 9.24.0 had a vulnerability related to operating system command injection. This vulnerability stemmed from the getGitMetadataForAISelection function...
@elliemae/pui-e2e-test-sdk (>=11.0.0 <=12.2.0), froth-webdriverio-framework (>=9.0.5-ytlc3.0 <=9.0.5-ytlc7.0) potentially affected by CVE-2026-25244 via @wdio/browserstack-service (>=9.12.7 <=9.23.0)
@wdio/browserstack-service NPM version =9.12.7, =11.0.0, =9.0.5-ytlc3.0, =9.0.5-ytlc7.0 Source cves: CVE-2026-25244 Source advisory: SNYK:JS-WDIOBROWSERSTACKSERVICE-16642116...
Command Injection
Overview @wdio/browserstack-service is a WebdriverIO service for better Browserstack integration Affected versions of this package are vulnerable to Command Injection via the getGitMetadataForAISelection function. An attacker can execute arbitrary commands on the host system by supplying a...
WebdriverIO BrowserStack Service has a Command Injection issue
Summary A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution RCE when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection...
PT-2026-39872
Name of the Vulnerable Software and Affected Versions WebdriverIO versions prior to 9.24.0 Description A command injection issue exists in the test orchestration of WebdriverIO, specifically within the @wdio/browserstack-service module. The function getGitMetadataForAISelection interpolates git...
Malicious code in @postman/wdio-junit-reporter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ac6f5998a89d257823fdf6368153d30126e695eb96b8ba6a5cd500fe661b8f8 The package @postman/wdio-junit-reporter was found to contain malicious code. Source: google-open-source-security...
EUVD-2025-180269
Malicious code in async-graviton-webdriverio-quantum npm...
EUVD-2025-175434
Malicious code in yonder-webdriverio-lynx-blackhole npm...
MAL-2025-187896 Malicious code in magellan-astro-webdriverio-enceladus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 956002abb27a2f289c68e054e9fd9ee1991e2691200e686d03be1ff32801893e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-186627 Malicious code in dotenv-safe-vortex-meissa-webdriverio (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90fb944cc269795d653356deba7764bb80e34801218d14654f3434c39296c5c2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...