Description
PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses. In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs. This vulnerability is fixed in 1.39.6.
Published: 2026-05-13
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PlaywrightCapture, a tool for rendering web pages using Playwright, failed to limit navigation and resource requests before version 1.39.6. An attacker‑controlled page can redirect the capture process to file:// URLs or to non‑public IPs, allowing server‑side request forgery against internal services or local file read attempts. If the capture output is later viewed, data from those internal or local resources could be exposed through screenshots, saved page content, logs, or other artifacts.

Affected Systems

The vulnerability affects Lookyloo’s PlaywrightCapture component. All releases prior to 1.39.6 are vulnerable; applying the 1.39.6 update or later removes the flaw.

Risk and Exploitability

With a CVSS score of 6.6 the weakness is considered medium severity, and it is not listed in the CISA KEV catalog. The EPSS is not available, so current exploit likelihood is unknown, but environments that process untrusted URLs are the primary risk area. An attacker could trigger internal requests or local file enumeration, potentially leaking sensitive data into exposed artifacts.

Generated by OpenCVE AI on May 13, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PlaywrightCapture to version 1.39.6 or later to receive the security fix
  • Configure the capture service to validate and whitelist destination URLs, disallowing redirects to file:// or private IP ranges
  • Place the capture environment behind network isolation controls that block outbound traffic to internal or loopback subnets

Generated by OpenCVE AI on May 13, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-687h-xw6f-q2qw Playwright Capture permits access to local files and internal network resources during page capture
History

Thu, 28 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Lookyloo playwright Capture
CPEs cpe:2.3:a:lookyloo:playwright_capture:*:*:*:*:*:*:*:*
Vendors & Products Lookyloo playwright Capture
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Lookyloo
Lookyloo playwrightcapture
Vendors & Products Lookyloo
Lookyloo playwrightcapture

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses. In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs. This vulnerability is fixed in 1.39.6.
Title LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Lookyloo Playwright Capture Playwrightcapture
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:01:11.899Z

Reserved: 2026-05-06T14:40:00.954Z

Link: CVE-2026-44439

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:44.850

Modified: 2026-05-28T17:37:08.367

Link: CVE-2026-44439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:10Z

Weaknesses