CVE-2026-7234
Published: 28 April 2026
Summary
CVE-2026-7234 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7234 is a path traversal vulnerability in the BrowserOperator browser-operator-core project, affecting versions up to 0.6.0. The issue resides in the startsWith function within the file scripts/component_server/server.js, where manipulation of the request.url argument enables attackers to traverse directories and access unintended files or paths.
The vulnerability can be exploited remotely over the network with low complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Remote attackers can send crafted requests to the affected component server, potentially leading to limited confidentiality, integrity, and availability impacts, such as reading or modifying restricted files.
Advisories from VulDB and the project's GitHub issue #96 indicate that the vulnerability was reported early to the maintainers, but they have not yet responded or issued patches. No official mitigations are available, and security practitioners should monitor the repository at https://github.com/BrowserOperator/browser-operator-core/ for updates.
An exploit for this issue has been made publicly available, increasing the risk of attacks against exposed instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26001
Vulnerability details
A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit…
more
has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote path traversal in exposed component server directly enables exploitation of public-facing applications for initial access (T1190) and unauthorized reading/modification of local system files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates path traversal by requiring validation of request.url inputs to reject traversal sequences like '../' before processing.
Addresses the root cause of the vulnerability in startsWith function by identifying, reporting, and correcting the flaw through timely patching.
Boundary protection mechanisms like WAFs monitor and block remote crafted requests containing path traversal payloads targeting the component server.