CVE-2026-48723
Deferred Deferred - Pending Action

OS Command Injection in BrowserStack Cypress CLI

Vulnerability report for CVE-2026-48723, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: GitHub, Inc.

Description

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
browserstack browserstack_cypress_cli to 1.36.4|start_including=1.36.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows arbitrary code execution on the victim's machine through OS command injection, potentially compromising confidentiality, integrity, and availability of data.

Such a compromise could lead to violations of common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Detection Guidance

This vulnerability can be detected by checking if the installed version of browserstack-cypress-cli is vulnerable (versions prior to 1.36.4). Additionally, inspecting the browserstack.json configuration file for suspicious or malformed cypress_config_file paths containing shell metacharacters such as ";", "&", or """ can help identify potential exploitation attempts.

To detect exploitation attempts or presence of the vulnerability on your system, you can:

  • Check the installed version of browserstack-cypress-cli with the command: `npm list browserstack-cypress-cli` or `npx browserstack-cypress-cli --version`.
  • Search for suspicious entries in the browserstack.json file, for example: `grep -E '[;&"`|&()]' browserstack.json` to find shell metacharacters in the cypress_config_file path.
  • Monitor execution logs or command history for suspicious commands triggered by the CLI, especially those involving unexpected shell metacharacters.

Note that no specific detection commands are provided in the resources, but these general steps can help identify vulnerable versions and suspicious configurations.

Executive Summary

The vulnerability exists in the browserstack-cypress-cli versions prior to 1.36.4. It is an OS command injection flaw caused by the way the cypress_config_file configuration parameter is handled. Specifically, the loadJsFile() function constructs a shell command by inserting the user-controlled cypress_config_filepath value directly into a command string, which is then executed using child_process.execSync(). Because shell metacharacters like " and ; are not properly sanitized, an attacker can break out of the intended command argument and inject arbitrary OS commands.

This vulnerability allows an attacker to execute arbitrary commands on the operating system where the CLI is running.

The issue was fixed in version 1.36.6 of the browserstack-cypress-cli.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary OS commands with the privileges of the user running the browserstack-cypress-cli.

  • Compromise of system integrity by running malicious commands.
  • Potential unauthorized access to sensitive data.
  • Disruption of service or availability due to destructive commands.
  • Elevation of risk for further attacks within the environment.
Mitigation Strategies

To mitigate this vulnerability, upgrade the browserstack-cypress-cli to version 1.36.6 or later, as this version contains the fix for the OS command injection issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart