216.73.216.67

CVE-2026-49143

· Published 02/06/2026 21:16 · Modified 03/06/2026 14:16

Labels: CVE-2026-49143 2026-06-02CVE-2026-49143CWE-94[email protected]

Essential information

Published
02/06/2026 21:16
Modified
03/06/2026 14:16
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
browserstack / runner cpe:2.3:a:browserstack:runner:0.9.5:*:*:*:*:*:*:*

References