CVE-2026-49143

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

Vulnerability Details

Published Date

June 02, 2026

Last Modified

June 02, 2026

CWE ID

CWE-94

Source

NVD

Vendor

browserstack

Product

browserstack-runner

External References

https://github.com/browserstack/browserstack-runner/security/advisories/GHSA-6vr3-7wcx-v5g5
https://www.vulncheck.com/advisories/browserstack-runner-unauthenticated-rce-via-log-http-handler

CVE-2026-49143

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment