PatchSiren cyber security CVE debrief
CVE-2026-48723 browserstack CVE debrief
CVE-2026-48723 is a HIGH-severity vulnerability in the browserstack-cypress-cli, a command-line interface for running Cypress tests on BrowserStack. The vulnerability, which has a CVSS score of 7.8, allows for OS command injection via the cypress_config_file configuration parameter. This is possible because the loadJsFile() function in readCypressConfigUtil.js constructs a shell command by interpolating the user-controlled cypress_config_filepath value into a template literal, then executes it via child_process.execSync(). An attacker can inject arbitrary commands by including shell metacharacters (specifically and ;) in the config path. The issue was fixed in version 1.36.6.
- Vendor
- browserstack
- Product
- browserstack-cypress-cli
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-16
Who should care
Users of browserstack-cypress-cli, especially those who use versions prior to 1.36.4, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The browserstack-cypress-cli is vulnerable to OS command injection. The loadJsFile() function in readCypressConfigUtil.js does not properly sanitize user input, allowing an attacker to inject arbitrary shell commands.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to version 1.36.6 or later
- Use a secure configuration file path
- Validate and sanitize user input
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide information about the vulnerability. Additional details can be found in the source references [ref-4] and [ref-5].
Official resources
CVE-2026-48723 was published on 2026-06-15T23:16:45.520Z and has not been modified since then.