CVE-2026-49143
8.8 HIGHBrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated ne...
Published: 2026-06-02 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-94
Description
BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49143
- [Other]https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5
- [Other]https://www.vulncheck.com/advisories/browserstack-runner-unauthenticated-rce-via-log-http-handler
- [Other]https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5
Related CVEs
Same CWE
- CVE-2026-12209 — A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10 (5.3 MEDIUM)
- CVE-2026-12208 — A weakness has been identified in jsonata-js jsonata up to 2.2.0 (5.3 MEDIUM)
- CVE-2026-12202 — A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3 (2.4 LOW)
- CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
- CVE-2026-54057 — Kitty is a cross-platform GPU based terminal