CVE-2026-49143 HIGH

CVE-2026-49143: BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

Vendor Browserstack
Product browserstack-runner
Weakness CWE-94 · Code injection
Published June 2, 2026
Last update June 3, 2026

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.

Key dates

02Disclosure timeline

June 2, 2026 CVE published
June 3, 2026 Record updated