Description
A command injection vulnerability exists in @wdio/browserstack-service that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command injection payloads.
Recommendation
Update the @wdio/browserstack-service package to the latest compatible version. Followings are version details:
- Affected version(s): <= 9.23.2
- Patched version(s): 9.24.0
References
Related Issues
- yii2-mcp-server has a Command Injection Issue - CVE-2026-7600
- electerm has Command Injection via runLinux funtion - CVE-2026-41501
- automagik-genie has a command injection vulnerability - CVE-2026-30635
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
You might also like:
- Tags:
- npm
- @wdio/browserstack-service
Anything's wrong? Let us know Last updated on May 19, 2026