CVE-2026-63175
Received Received - Intake

State Sharing in PlaywrightCapture Leading to Information Disclosure

Vulnerability report for CVE-2026-63175, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data. In a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture's authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations. The vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the Capture constructor, ensuring that state is isolated between capture operations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in PlaywrightCapture involves shared mutable class-level variables that store capture-specific data like HTTP headers, cookies, and authentication details. Multiple Capture objects in the same process can unintentionally share this state, leading to data leakage or unauthorized access across different users or captures.

Impact Analysis

If you use PlaywrightCapture in a multi-user or concurrent environment, sensitive data from one user's capture (e.g., authentication cookies, credentials) could be exposed to another user. This may allow unauthorized access to resources or interference with other captures.

Compliance Impact

This vulnerability could lead to unauthorized data exposure, violating GDPR's data protection principles or HIPAA's confidentiality requirements. Compliance risks include data breaches, unauthorized access, and failure to protect sensitive user information.

Mitigation Strategies

Update PlaywrightCapture to the patched version where capture-specific settings are initialized as instance variables in the Capture constructor to ensure state isolation between captures.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63175. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart