CVE-2026-7234 - Vulnerability Details

- BrowserOperator browser-operator-core server.js startsWith path traversal

Description

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-28

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

BrowserOperator browser-operator-core contains a path‑traversal flaw in the startsWith function of scripts/component_server/server.js. By manipulating the request.url parameter, an attacker can cause the server to resolve file paths that escape the intended directory. Although the flaw itself does not provide an immediate remote code execution vector, it allows reading or overwriting arbitrary files, potentially enabling further exploitation such as execution of injected code or data exfiltration.

Affected Systems

The vulnerability exists in BrowserOperator browser-operator-core version 0.6.0 and earlier. No other product or vendor names are affected. The software is distributed under an open source license and hosted on GitHub.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploit is available publicly and can be launched remotely. Path‑traversal conditions are satisfied when the server processes incoming HTTP requests containing a crafted URL, so an attacker with network access to the exposed API can exercise the weakness.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

BrowserOperator

browser-operator-core

affected

Version	Status	Constraints
`0.1`	affected	—
`0.2`	affected	—
`0.3`	affected	—
`0.4`	affected	—
`0.5`	affected	—
`0.6.0`	affected	—

No data.

Vendor Product Confidence Versions

Browseroperator

Browser-operator-core

100%

Version	Status	Scheme	Platform
`0.1`	affected	generic	—
`0.2`	affected	generic	—
`0.3`	affected	generic	—
`0.4`	affected	generic	—
`0.5`	affected	generic	—
`0.6.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a browser-operator-core release newer than 0.6.0 once it becomes available
Apply input validation or sanitization to the request.url parameter to eliminate directory traversal sequences before they reach the filesystem
Restrict the application’s filesystem permissions so that only required directories are accessible from the server’s working directory

Generated by OpenCVE AI on April 28, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/BrowserOperator/browser-operator-core/
https://github.com/BrowserOperator/browser-operator-core/issues/96
https://vuldb.com/submit/802762
https://vuldb.com/vuln/359843
https://vuldb.com/vuln/359843/cti

History

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Browseroperator Browseroperator browser-operator-core
Vendors & Products		Browseroperator Browseroperator browser-operator-core

Tue, 28 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title		BrowserOperator browser-operator-core server.js startsWith path traversal
Weaknesses		CWE-22
References		https://github.com/BrowserOperator/browser-operator-core/ https://github.com/BrowserOperator/browser-operator-core/issues/96 https://vuldb.com/submit/802762 https://vuldb.com/vuln/359843 https://vuldb.com/vuln/359843/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Browseroperator Browser-operator-core

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-28T06:15:13.509Z

Updated: 2026-04-28T06:15:13.509Z

Reserved: 2026-04-27T17:04:04.203Z

Link: CVE-2026-7234

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-28T07:16:04.247

Modified: 2026-04-28T07:16:04.247

Link: CVE-2026-7234

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object