https://vulnerability.circl.lu/sightings/feedMost recent sightings.2026-06-08T08:38:13.333840+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent sightings.https://vulnerability.circl.lu/sighting/235c33e0-632a-4753-9b55-05718ea6d1c5/export235c33e0-632a-4753-9b55-05718ea6d1c52026-06-08T08:38:13.372667+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "235c33e0-632a-4753-9b55-05718ea6d1c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4914", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjhwomeimw2m", "content": "", "creation_timestamp": "2026-04-14T17:45:12.587821Z"}2026-04-14T17:45:12.587821+00:00https://vulnerability.circl.lu/sighting/d071b117-1e39-4a6d-96e0-4809b0396c7a/exportd071b117-1e39-4a6d-96e0-4809b0396c7a2026-06-08T08:38:13.372601+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "d071b117-1e39-4a6d-96e0-4809b0396c7a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4914", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mjk2cdepzo2r", "content": "", "creation_timestamp": "2026-04-15T13:55:13.897311Z"}2026-04-15T13:55:13.897311+00:00https://vulnerability.circl.lu/sighting/400d3b49-b41f-4802-9e5d-62ac807be074/export400d3b49-b41f-4802-9e5d-62ac807be0742026-06-08T08:38:13.372529+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "400d3b49-b41f-4802-9e5d-62ac807be074", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-4914", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mjk53youck2w", "content": "", "creation_timestamp": "2026-04-15T14:45:22.932708Z"}2026-04-15T14:45:22.932708+00:00https://vulnerability.circl.lu/sighting/9ec353fe-5a2f-4462-a184-7febec96cc66/export9ec353fe-5a2f-4462-a184-7febec96cc662026-06-08T08:38:13.372456+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "9ec353fe-5a2f-4462-a184-7febec96cc66", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49143", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mndlsens5v2p", "content": "\ud83d\udfe0 CVE-2026-49143 - High (8.8)\n\nBrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTT...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-49143/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-02T22:00:34.602100Z"}2026-06-02T22:00:34.602100+00:00https://vulnerability.circl.lu/sighting/d5a13255-faff-45ee-9497-5b024c1bfce6/exportd5a13255-faff-45ee-9497-5b024c1bfce62026-06-08T08:38:13.372381+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "d5a13255-faff-45ee-9497-5b024c1bfce6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49143", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mndr2nst4p2o", "content": "CVE-2026-49143 - BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler\nCVE ID : CVE-2026-49143\n \n Published : June 2, 2026, 9:16 p.m. | 1\u00a0hour, 57\u00a0minutes ago\n \n Description : BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in th...", "creation_timestamp": "2026-06-02T23:34:40.523600Z"}2026-06-02T23:34:40.523600+00:00https://vulnerability.circl.lu/sighting/bda3f18c-ebbf-4807-92e1-80d3c79dc70b/exportbda3f18c-ebbf-4807-92e1-80d3c79dc70b2026-06-08T08:38:13.372298+00:00Joseph Leehttps://vulnerability.circl.lu/user/syspect{"uuid": "bda3f18c-ebbf-4807-92e1-80d3c79dc70b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49144", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-8rpw-6cqh-2v9h", "content": "", "creation_timestamp": "2026-06-03T21:38:40.000000Z"}2026-06-03T21:38:40+00:00https://vulnerability.circl.lu/sighting/3bcd8173-053d-40c0-b0a4-8d202770ee7b/export3bcd8173-053d-40c0-b0a4-8d202770ee7b2026-06-08T08:38:13.371300+00:00Joseph Leehttps://vulnerability.circl.lu/user/syspect{"uuid": "3bcd8173-053d-40c0-b0a4-8d202770ee7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-49143", "type": "published-proof-of-concept", "source": "https://github.com/advisories/GHSA-6vr3-7wcx-v5g5", "content": "", "creation_timestamp": "2026-06-03T21:39:32.000000Z"}2026-06-03T21:39:32+00:00https://vulnerability.circl.lu/sighting/45dec213-990e-4ff0-8dbf-1532ef9c1a3a/export45dec213-990e-4ff0-8dbf-1532ef9c1a3a2026-06-08T08:38:13.371148+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "45dec213-990e-4ff0-8dbf-1532ef9c1a3a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49143", "type": "seen", "source": "https://gist.github.com/alon710/0a4fd57da163f29a224f9f12ea16fb50", "content": "# CVE-2026-49143: CVE-2026-49143: Unauthenticated Remote Code Execution in browserstack-runner\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49143\n\n## Summary\nAn unauthenticated remote code execution (RCE) vulnerability exists in the browserstack-runner npm package (versions up to and including 0.9.5). The flaw lies in the /_log HTTP endpoint handler, which evaluates user-supplied input within a non-secure Node.js VM context combined with dynamic eval() execution. Network-adjacent attackers can exploit this behavior to escape the sandbox and execute arbitrary system commands on the host machine.\n\n## TL;DR\nUnauthenticated remote code execution vulnerability in browserstack-runner <= 0.9.5 via a sandbox escape in the /_log HTTP handler.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94: Improper Control of Generation of Code ('Code Injection')\n- **Attack Vector**: Adjacent Network\n- **CVSS v3.1 Score**: 8.8\n- **CVSS v4.0 Score**: 8.7\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n- **Impact**: High (Complete Confidentiality, Integrity, and Availability Loss)\n\n## Affected Systems\n\n- Workstations running browserstack-runner configurations locally\n- Continuous integration (CI/CD) runners executing automated cross-browser suites\n- Local development servers utilizing browserstack-runner <= 0.9.5\n- **browserstack-runner**: <= 0.9.5\n\n## Mitigation\n\n- Avoid using Node.js standard vm modules or eval() routines to parse user-controlled input.\n- Restrict HTTP listener bindings in lib/server.js to 127.0.0.1 instead of 0.0.0.0 to prevent adjacent network access.\n- Introduce token-based session validation checks on the /_log endpoint to reject unauthenticated requests.\n\n**Remediation Steps:**\n1. Open the file lib/server.js within the browserstack-runner installation directory.\n2. Locate the route definition mapping to the /_log handler.\n3. Replace the call to vm.runInNewContext() and eval() with a safe mapping function that stringifies or sanitizes arguments.\n4. Modify the HTTP listen configuration to specify host '127.0.0.1' rather than binding to all network interfaces.\n\n## References\n\n- [GitHub Security Advisory (GHSA-6vr3-7wcx-v5g5)](https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5)\n- [VulnCheck Advisory Portal](https://www.vulncheck.com/advisories/browserstack-runner-unauthenticated-rce-via-log-http-handler)\n- [NVD Entry for CVE-2026-49143](https://nvd.nist.gov/vuln/detail/CVE-2026-49143)\n- [GitHub Project Repository](https://github.com/browserstack/browserstack-runner)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49143) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T22:40:56.000000Z"}2026-06-03T22:40:56+00:00https://vulnerability.circl.lu/sighting/05eab089-41ff-49bf-a2bc-e12bb9ebb412/export05eab089-41ff-49bf-a2bc-e12bb9ebb4122026-06-08T08:38:13.370971+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "05eab089-41ff-49bf-a2bc-e12bb9ebb412", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49144", "type": "seen", "source": "https://gist.github.com/alon710/f7bc5351b219485c56b8d23a92985578", "content": "# CVE-2026-49144: CVE-2026-49144: Unauthenticated Arbitrary File Read via Path Traversal in BrowserStack Runner\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49144\n\n## Summary\nAn unauthenticated path traversal vulnerability in BrowserStack Runner versions up to and including 0.9.5 allows remote or adjacent network attackers to read arbitrary files from the host system. The flaw exists within the local HTTP test server's fallback and patch file handlers, which fail to sanitize path inputs before passing them to file resolution APIs.\n\n## TL;DR\nBrowserStack Runner through 0.9.5 permits unauthenticated remote file disclosure due to lack of path sanitization in its internal HTTP server handlers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Adjacent Network (AV:A)\n- **CVSS v4 Score**: 7.1 (High)\n- **EPSS Score**: 0.00024\n- **Impact**: Arbitrary File Disclosure\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- BrowserStack Runner host systems running versions <= 0.9.5\n- **BrowserStack Runner**: <= 0.9.5 (Fixed in: `None`)\n\n## Mitigation\n\n- Implement server-side path resolution sanitization ensuring requested files remain within intended directories.\n- Bind the local HTTP test server strictly to the loopback interface (127.0.0.1) instead of 0.0.0.0.\n\n**Remediation Steps:**\n1. Inspect the local test runner setup to check if 'browserstack-runner' is being used.\n2. Integrate isSafePath validation code into lib/server.js as detailed in the technical patch section.\n3. Configure local firewalls to deny external inbound connections to test server ports (default 3000).\n\n## References\n\n- [NVD - CVE-2026-49144 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-49144)\n- [GitHub Security Advisory GHSA-8rpw-6cqh-2v9h](https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-8rpw-6cqh-2v9h)\n- [VulnCheck Security Advisory](https://www.vulncheck.com/advisories/browserstack-runner-path-traversal-via-default-http-handler)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49144) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T23:10:53.000000Z"}2026-06-03T23:10:53+00:00https://vulnerability.circl.lu/sighting/37698d3b-ca60-448f-bc38-132773d25c96/export37698d3b-ca60-448f-bc38-132773d25c962026-06-08T08:38:13.368866+00:00Automation userhttps://vulnerability.circl.lu/user/automation{"uuid": "37698d3b-ca60-448f-bc38-132773d25c96", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49144", "type": "seen", "source": "https://gist.github.com/alon710/c96f50c47f9fff8e91b22c3cc55eaa13", "content": "# CVE-2026-49144: CVE-2026-49144: Unauthenticated Arbitrary File Read via Path Traversal in BrowserStack Runner\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-49144\n\n## Summary\nAn unauthenticated path traversal vulnerability in BrowserStack Runner versions up to and including 0.9.5 allows remote or adjacent network attackers to read arbitrary files from the host system. The flaw exists within the local HTTP test server's fallback and patch file handlers, which fail to sanitize path inputs before passing them to file resolution APIs.\n\n## TL;DR\nBrowserStack Runner through 0.9.5 permits unauthenticated remote file disclosure due to lack of path sanitization in its internal HTTP server handlers.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Adjacent Network (AV:A)\n- **CVSS v4 Score**: 7.1 (High)\n- **EPSS Score**: 0.00024\n- **Impact**: Arbitrary File Disclosure\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- BrowserStack Runner host systems running versions <= 0.9.5\n- **BrowserStack Runner**: <= 0.9.5 (Fixed in: `None`)\n\n## Mitigation\n\n- Implement server-side path resolution sanitization ensuring requested files remain within intended directories.\n- Bind the local HTTP test server strictly to the loopback interface (127.0.0.1) instead of 0.0.0.0.\n\n**Remediation Steps:**\n1. Inspect the local test runner setup to check if 'browserstack-runner' is being used.\n2. Integrate isSafePath validation code into lib/server.js as detailed in the technical patch section.\n3. Configure local firewalls to deny external inbound connections to test server ports (default 3000).\n\n## References\n\n- [NVD - CVE-2026-49144 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-49144)\n- [GitHub Security Advisory GHSA-8rpw-6cqh-2v9h](https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-8rpw-6cqh-2v9h)\n- [VulnCheck Security Advisory](https://www.vulncheck.com/advisories/browserstack-runner-path-traversal-via-default-http-handler)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49144) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T23:20:57.000000Z"}2026-06-03T23:20:57+00:00