CVE-2026-7234

Name of the Vulnerable Software and Affected Versions BrowserOperator browser-operator-core versions prior to 0.6.1

Description A path traversal issue exists in the startsWith() function within the scripts/component server/server.js file. A remote attacker can exploit this by manipulating the request.url variable, potentially allowing unauthorized access to files or directories outside the intended folder.

Recommendations As a temporary workaround, restrict access to the startsWith() function in the scripts/component server/server.js file or avoid using the request.url variable in the affected component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.