Skip to main content

Browserstack Runner

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-49144 npm HIGH POC GHSA Monitor

Arbitrary file disclosure in BrowserStack Runner versions through 0.9.5 allows unauthenticated network-adjacent attackers to read sensitive files outside the project root by abusing a path traversal flaw in the default HTTP handler of lib/server.js. Because the embedded test server binds on all interfaces by default, any attacker on the same network segment (Wi-Fi, VLAN, or shared LAN) can retrieve source code, credentials, or environment files. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-8rpw-6cqh-2v9h) has been published.

Path Traversal Browserstack Runner
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-49144 npm
EPSS 0% CVSS 7.1
HIGH POC Monitor

Arbitrary file disclosure in BrowserStack Runner versions through 0.9.5 allows unauthenticated network-adjacent attackers to read sensitive files outside the project root by abusing a path traversal flaw in the default HTTP handler of lib/server.js. Because the embedded test server binds on all interfaces by default, any attacker on the same network segment (Wi-Fi, VLAN, or shared LAN) can retrieve source code, credentials, or environment files. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-8rpw-6cqh-2v9h) has been published.

Path Traversal Browserstack Runner
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy