CVE-2026-48723
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48723
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
browserstack browserstack_cypress_cli to 1.36.4|start_including=1.36.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the browserstack-cypress-cli versions prior to 1.36.4. It is an OS command injection flaw caused by the way the cypress_config_file configuration parameter is handled. Specifically, the loadJsFile() function constructs a shell command by inserting the user-controlled cypress_config_filepath value directly into a command string, which is then executed using child_process.execSync(). Because shell metacharacters like " and ; are not properly sanitized, an attacker can break out of the intended command argument and inject arbitrary OS commands.

This vulnerability allows an attacker to execute arbitrary commands on the operating system where the CLI is running.

The issue was fixed in version 1.36.6 of the browserstack-cypress-cli.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary OS commands with the privileges of the user running the browserstack-cypress-cli.

  • Compromise of system integrity by running malicious commands.
  • Potential unauthorized access to sensitive data.
  • Disruption of service or availability due to destructive commands.
  • Elevation of risk for further attacks within the environment.
Mitigation Strategies

To mitigate this vulnerability, upgrade the browserstack-cypress-cli to version 1.36.6 or later, as this version contains the fix for the OS command injection issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart