Which versions of browser-operator-core are affected by CVE-2026-7234?

CVE-2026-7234 affects browser-operator-core versions up to 0.6.0 and permits unauthenticated remote attackers to read, write, and delete arbitrary files on affected servers through path traversal…

Is there a public PoC exploit available for CVE-2026-7234?

Yes, a public proof-of-concept exploit is available for CVE-2026-7234. Prioritise patching immediately. EPSS: 0.0%.

browser-operator-core CVE-2026-7234

Q: What is the CVSS score of CVE-2026-7234?

CVE-2026-7234 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26001 MEDIUM

Path Traversal (CWE-22)

2026-04-28 VulDB

Path Traversal

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 28, 2026 - 07:22 NVD

HIGH MEDIUM

CVSS changed

Apr 28, 2026 - 07:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 28, 2026 - 06:46 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 06:30 euvd

EUVD-2026-26001

Analysis Generated

Apr 28, 2026 - 06:30 vuln.today

CVE Published

Apr 28, 2026 - 06:15 nvd

MEDIUM 5.5

DescriptionNVD

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. …

RemediationAI

Within 24 hours: Inventory all systems running browser-operator-core up to version 0.6.0 and isolate affected instances from production networks if possible. Within 7 days: Evaluate vendor alternatives or implement network-level access controls (WAF rules blocking malicious request.url patterns, IP whitelisting) to limit exposure while awaiting patch availability; verify no indicators of compromise in server logs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7234 vulnerability details – vuln.today

Back

browser-operator-core CVE-2026-7234

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

browser-operator-core CVE-2026-7234

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code