High severity8.8NVD Advisory· Published Jun 2, 2026· Updated Jun 4, 2026
CVE-2026-49143
CVE-2026-49143
Description
BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
browserstack-runnernpm | <= 0.9.5 | — |
Affected products
1- Range: <=0.9.5
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.