Skip to main content

Playwrightcapture

1 CVEs product

Monthly

CVE-2026-63175 HIGH PATCH This Week

Cross-user state leakage in Lookyloo's PlaywrightCapture Python library allows one capture operation to inherit sensitive data from another when multiple Capture objects run within the same Python process. Because capture-specific settings (HTTP headers, cookies, browser storage, HTTP credentials, proxy, user-agent, geolocation) were stored as mutable class-level rather than instance-level variables, a concurrent or subsequent capture in a multi-user deployment can disclose or reuse another user's authentication cookies, credentials, and captured request data. Exploitation requires low privileges (PR:L, a legitimate user of a shared deployment); a vendor patch exists (commit 1e354b9) and no public exploit identified at time of analysis.

Python Authentication Bypass Playwrightcapture
NVD GitHub VulDB
CVSS 4.0
7.1
CVSS 7.1
HIGH PATCH This Week

Cross-user state leakage in Lookyloo's PlaywrightCapture Python library allows one capture operation to inherit sensitive data from another when multiple Capture objects run within the same Python process. Because capture-specific settings (HTTP headers, cookies, browser storage, HTTP credentials, proxy, user-agent, geolocation) were stored as mutable class-level rather than instance-level variables, a concurrent or subsequent capture in a multi-user deployment can disclose or reuse another user's authentication cookies, credentials, and captured request data. Exploitation requires low privileges (PR:L, a legitimate user of a shared deployment); a vendor patch exists (commit 1e354b9) and no public exploit identified at time of analysis.

Python Authentication Bypass Playwrightcapture
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy