CVE-2026-48723
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk41th percentile — higher than 41% of all known CVEs
Summary
Browserstack-cypress-cli versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. The loadJsFile() function in readCypressConfigUtil.js executes a shell command by interpolating the user-controlled cypress_config_filepath value.
Risk Assessment
Exploitation of this vulnerability could allow arbitrary OS command execution, posing a significant security risk. An attacker could gain control over the system, potentially leading to data loss or access to sensitive information.
Recommendation
It is recommended to upgrade to version 1.36.6 or later to mitigate this vulnerability. Additionally, conduct a configuration audit and monitor systems for unauthorized activities.
Original NVD description (English source)
The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.

