Remote Code Execution Flaw in BrowserStack Runner Affects Unauthenticated Users
CVE-2026-49143

8.7HIGH

Key Information:

Vendor: Browserstack
Status: Browserstack-runner
Vendor: CVE Published:; 2 June 2026

🔔 Create Browserstack Vulnerability Alert

What is CVE-2026-49143?

BrowserStack Runner versions up to 0.9.5 are affected by a vulnerability that allows unauthenticated attackers to execute arbitrary code remotely. This occurs through the insecure handling of requests to the /_log HTTP handler, which processes user-supplied JSON data without adequate sanitization. By exploiting this flaw, attackers can escape the Node.js virtual machine sandbox and interact with the host system, executing malicious code that can compromise system integrity. This vulnerability poses significant risks, as it allows for unauthorized access and manipulation of the underlying environment.

Affected Version(s)

browserstack-runner 0 <= 0.9.5

References

https://github.com/browserstack/browserstack-runner/secur...

vendor-advisory

https://www.vulncheck.com/advisories/browserstack-runner-...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 27, 2026

Credit

Christ Bouchuen

CVE-2026-49143 Data

JSON