CVE-2026-49144EPSS p10.8%

CVE-2026-49144CVE-2026-49144

Description

BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files.

Scoring

CVSS 6.5 ()
VectorCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS0.21% probability of exploitation · percentile 10.8% · 2026-06-18T12:00:27Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49143
CVE
CVE-2025-24937
CVE
CVE-2025-41368
CVE
CVE-2026-45230
CVE
CVE-2026-10928
CVE
CVE-2026-11078
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.