Skip to main content

Browser Operator Core

1 CVEs product

Monthly

CVE-2026-7234 MEDIUM POC This Month

Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.

Path Traversal Browser Operator Core
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Path traversal in browser-operator-core versions up to 0.6.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files on the server by manipulating the request.url parameter in the startsWith function of server.js. Publicly available exploit code exists (GitHub issue #96), enabling trivial exploitation with no user interaction. CVSS 7.3 reflects network-exploitable attack with low impact across confidentiality, integrity, and availability. No vendor response or patch released despite early responsible disclosure via issue report. This is a critical supply chain risk for any systems running the affected BrowserOperator component server.

Path Traversal Browser Operator Core
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy