CVE-2026-44439

Name of the Vulnerable Software and Affected Versions Playwright Capture (affected versions not specified)

Description Playwright Capture fails to sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page can abuse browser-side redirection mechanisms, such as window.location.href, to force the capture process to open 'file://' URLs or request resources from private, loopback, link-local, or non-public IP addresses. This can lead to Server-Side Request Forgery (SSRF), where a remote attacker performs requests against internal services or accesses local files from the capture environment. Depending on the generated artifacts, responses from these resources may be leaked via screenshots, saved page content, or logs.

Recommendations Apply the patch that introduces request routing checks to block secondary requests to local files, non-global IP addresses, and .local domains when only global lookup is enabled.