@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)

@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: OSV:GHSA-2H32-95RG-CPPP...

@vitest/browser-playwright (>=5.0.0-beta.1 <=5.0.0-beta.2), @vitest/browser-preview (>=5.0.0-beta.1 <=5.0.0-beta.2) +1 more potentially affected by CVE-2026-47428 via @vitest/browser (>=5.0.0-beta.1 <=5.0.0-beta.2)

@vitest/browser NPM version =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.1, =5.0.0-beta.2 Source cves: CVE-2026-47428 Source advisory: SNYK:JS-VITESTBROWSER-17120486...

CVE-2026-25244

A flaw was found in WebdriverIO. A remote attacker can exploit a command injection vulnerability by crafting a malicious Git repository with a specially named branch. This branch name, containing shell metacharacters, is unsafely processed during test orchestration. This allows for remote code...

CVE-2026-25244

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

CVE-2026-25244

CVE-2026-25244 affects WebdriverIO versions below 9.24.0, specifically the @wdio/browserstack-service during test orchestration. The root cause is user-controlled git branch names being interpolated directly into execSync() calls within getGitMetadataForAISelection() without sanitization, enablin...

CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

CVE-2026-25244

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

EUVD-2026-30805

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution RCE in test orchestration. Git permits branch names containing shell...

webdriverio 操作系统命令注入漏洞

WebdriverIO is an open-source automation testing framework for browsers and mobile devices developed by WebdriverIO. Versions of WebdriverIO prior to 9.24.0 had a vulnerability related to operating system command injection. This vulnerability stemmed from the getGitMetadataForAISelection function...

@elliemae/pui-e2e-test-sdk (>=11.0.0 <=12.2.0), froth-webdriverio-framework (>=9.0.5-ytlc3.0 <=9.0.5-ytlc7.0) potentially affected by CVE-2026-25244 via @wdio/browserstack-service (>=9.12.7 <=9.23.0)

@wdio/browserstack-service NPM version =9.12.7, =11.0.0, =9.0.5-ytlc3.0, =9.0.5-ytlc7.0 Source cves: CVE-2026-25244 Source advisory: SNYK:JS-WDIOBROWSERSTACKSERVICE-16642116...

Command Injection

Overview @wdio/browserstack-service is a WebdriverIO service for better Browserstack integration Affected versions of this package are vulnerable to Command Injection via the getGitMetadataForAISelection function. An attacker can execute arbitrary commands on the host system by supplying a...

WebdriverIO BrowserStack Service has a Command Injection issue

Summary A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution RCE when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection...

PT-2026-39872

Name of the Vulnerable Software and Affected Versions WebdriverIO versions prior to 9.24.0 Description A command injection issue exists in @wdio/browserstack-service that allows remote code execution. The problem occurs during test orchestration when processing git branch names. An attacker can...

Malicious code in @postman/wdio-junit-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ac6f5998a89d257823fdf6368153d30126e695eb96b8ba6a5cd500fe661b8f8 The package @postman/wdio-junit-reporter was found to contain malicious code. Source: google-open-source-security...

Malicious code in taurus-css-minimizer-webpack-plugin-ophiuchus-webdriverio (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f8ad6a47a997ae581afbb207779a8920a2efac4fcd400cab0db5924bf8227ea This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in webdriverio-npm-supervisor-blaze (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4759ce7fafd7b599f2d391dc859e66d40f9d758da169a2303128f81734a831f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176043

Malicious code in taurus-webdriverio-helios-gemini npm...

EUVD-2025-175596

Malicious code in webdriverio-meissa-terser-node-sass npm...

MAL-2025-190282 Malicious code in webdriverio-rate-limiter-wormhole-version (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 546a55ebdbc1b18fed5bbad6be8b757cfe2c4fa0d1f046a9d5deff7b296f6332 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...