Skip to content
CVSS 7.3 · HIGH

CVE-2026-7234

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

View on NVD

Analysis

BrowserOperator (browser-operator-core) is a niche Node.js-based utility with limited deployment compared to mainstream browser automation tools. While the vulnerability is unpatched and an exploit is public, the impact is localized to a small user base and does not pose a broad ecosystem risk.

Severity

Score: 7.3(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: LOW
Weakness (CWE): CWE-22

EPSS

Probability of exploitation (next 30 days): 0.0006 (0.1%)
Percentile: 18.6%
EPSS: 2026-05-06

Technical description

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Published: 4/28/2026, 7:16:04 AM
Last modified: 4/29/2026, 1:00:01 AM

References

HomeEventsBlogResourcesTeam