CVE-2026-49144
Path Traversal in BrowserStack Runner
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| browserstack | runner | 0.9.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in BrowserStack Runner versions up to 0.9.5. It is a path traversal flaw in the _default HTTP handler within the lib/server.js file. This flaw allows unauthenticated attackers who are network-adjacent to exploit the HTTP server, which listens on all interfaces, to traverse directories outside the intended project root. As a result, attackers can read arbitrary files on the system.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can read sensitive files on the affected system without any authentication. This could lead to exposure of confidential information, configuration files, or other sensitive data that resides outside the project root directory.