CVE Catalog

CVE-2026-48723

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.53%

41th percentile — higher than 41% of all known CVEs

Summary

Browserstack-cypress-cli versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. The loadJsFile() function in readCypressConfigUtil.js executes a shell command by interpolating the user-controlled cypress_config_filepath value.

Risk Assessment

Exploitation of this vulnerability could allow arbitrary OS command execution, posing a significant security risk. An attacker could gain control over the system, potentially leading to data loss or access to sensitive information.

Recommendation

It is recommended to upgrade to version 1.36.6 or later to mitigate this vulnerability. Additionally, conduct a configuration audit and monitor systems for unauthorized activities.

Original NVD description (English source)

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). Shell metacharacters in the config path (specifically " and ;) allow breaking out of the quoted argument and injecting arbitrary commands. This issue has been fixed in version 1.36.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS