CVE-2026-7234

Description

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

Low

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

E

Physical

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

E

Physical

RL

X

RC

Required

Affected products

BrowserOperator / browser-operator-core0.1 – 0.1
BrowserOperator / browser-operator-core0.2 – 0.2
BrowserOperator / browser-operator-core0.3 – 0.3
BrowserOperator / browser-operator-core0.4 – 0.4
BrowserOperator / browser-operator-core0.5 – 0.5
BrowserOperator / browser-operator-core0.6.0 – 0.6.0

Description

CVSS breakdown

Affected products

References