๐Ÿ” CVE Alert

CVE-2026-49144

MEDIUM 6.5

BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
7th

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.

CWE CWE-22
Vendor browserstack
Product browserstack-runner
Published Jun 2, 2026
Last Updated Jun 3, 2026
Stay Ahead of the Next One

Get instant alerts for browserstack browserstack-runner

Be the first to know when new medium vulnerabilities affecting browserstack browserstack-runner are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

browserstack / browserstack-runner
0 โ‰ค 0.9.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-8rpw-6cqh-2v9h vulncheck.com: https://www.vulncheck.com/advisories/browserstack-runner-path-traversal-via-default-http-handler

Credits

Christ Bouchuen