CVE-2026-7234

Summary

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
BrowserOperatorbrowser-operator-core0.1affected
BrowserOperatorbrowser-operator-core0.2affected
BrowserOperatorbrowser-operator-core0.3affected
BrowserOperatorbrowser-operator-core0.4affected
BrowserOperatorbrowser-operator-core0.5affected
BrowserOperatorbrowser-operator-core0.6.0affected

Weaknesses

  • CWE-22: Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References