Cyber Resilience

CVE-2026-7234

Medium

Published: 28 April 2026

Published
28 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 20.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7234 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7234 is a path traversal vulnerability in the BrowserOperator browser-operator-core project, affecting versions up to 0.6.0. The issue resides in the startsWith function within the file scripts/component_server/server.js, where manipulation of the request.url argument enables attackers to traverse directories and access unintended files or paths.

The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Remote attackers can send crafted requests to the affected component server, potentially leading to limited confidentiality, integrity, and availability impacts, such as reading or modifying restricted files.

Advisories from VulDB and the project's GitHub issue #96 indicate that the vulnerability was reported early to the maintainers, but they have not yet responded or issued patches. No official mitigations are available, and security practitioners should monitor the repository at https://github.com/BrowserOperator/browser-operator-core/ for updates.

An exploit for this issue has been made publicly available, increasing the risk of attacks against exposed instances.

EU & UK References

Vulnerability details

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit…

more

has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Remote path traversal in exposed component server directly enables exploitation of public-facing applications for initial access (T1190) and unauthorized reading/modification of local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation of request.url inputs to reject traversal sequences like '../' before processing.

prevent

Addresses the root cause of the vulnerability in startsWith function by identifying, reporting, and correcting the flaw through timely patching.

preventdetect

Boundary protection mechanisms like WAFs monitor and block remote crafted requests containing path traversal payloads targeting the component server.

References