CVE-2026-25244

Source
https://cve.org/CVERecord?id=CVE-2026-25244
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25244.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25244
Aliases
Published
2026-05-18T20:31:14.497Z
Modified
2026-07-08T08:12:44.610757592Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
WebdriverIO has Command Injection in the BrowserStack Service
Details

WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25244.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/webdriverio/webdriverio

Affected ranges

Type
GIT
Repo
https://github.com/webdriverio/webdriverio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:openjsf:webdriverio:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.24.0"
        }
    ]
}

Affected versions

v5.*
v5.0.0
v5.0.0-beta.0
v5.0.0-beta.10
v5.0.0-beta.12
v5.0.0-beta.13
v5.0.0-beta.14
v5.0.0-beta.15
v5.0.0-beta.16
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.0-beta.5
v5.0.0-beta.6
v5.0.0-beta.7
v5.0.0-beta.8
v5.0.0-beta.9
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0
v5.1.1
v5.1.2
v5.10.0
v5.10.1
v5.10.10
v5.10.2
v5.10.3
v5.10.4
v5.10.5
v5.10.6
v5.10.7
v5.10.8
v5.10.9
v5.11.0
v5.11.1
v5.11.10
v5.11.11
v5.11.12
v5.11.13
v5.11.14
v5.11.2
v5.11.3
v5.11.4
v5.11.5
v5.11.6
v5.11.7
v5.11.8
v5.11.9
v5.12.0
v5.12.1
v5.12.2
v5.12.3
v5.12.4
v5.12.5
v5.13.0
v5.13.0-alpha.0
v5.13.1
v5.13.2
v5.14.0
v5.14.1
v5.14.2
v5.14.3
v5.14.4
v5.14.5
v5.15.0
v5.15.1
v5.15.2
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.16.0
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.9
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.4.0
v5.4.1
v5.4.10
v5.4.11
v5.4.12
v5.4.13
v5.4.14
v5.4.15
v5.4.16
v5.4.17
v5.4.18
v5.4.19
v5.4.2
v5.4.20
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.4.7
v5.4.8
v5.4.9
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.7.0
v5.7.1
v5.7.10
v5.7.11
v5.7.12
v5.7.13
v5.7.14
v5.7.15
v5.7.16
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.7.8
v5.7.9
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.9.0
v5.9.1
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6
v6.*
v6.0.0
v6.0.0-alpha.0
v6.0.0-alpha.1
v6.0.0-beta.0
v6.0.0-beta.1
v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.16-blm2
v6.1.16-blm3
v6.1.16-blm4
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.10.0
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.13
v6.10.14
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11.0
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.12.0
v6.12.1
v6.2.0
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.5.0
v6.5.1
v6.5.2
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.8.0
v6.8.1
v6.8.2
v6.9.0
v6.9.1
v7.*
v7.0.0
v7.0.0-beta.0
v7.0.0-beta.1
v7.0.0-beta.2
v7.0.0-beta.3
v7.0.0-beta.4
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.1
v7.1.2
v7.10.0
v7.10.1
v7.11.0
v7.11.1
v7.12.0
v7.12.1
v7.12.2
v7.12.3
v7.12.4
v7.12.5
v7.12.6
v7.13.0
v7.13.1
v7.13.2
v7.14.0
v7.14.1
v7.15.0
v7.16.0
v7.16.1
v7.16.10
v7.16.11
v7.16.12
v7.16.13
v7.16.14
v7.16.15
v7.16.16
v7.16.2
v7.16.3
v7.16.4
v7.16.5
v7.16.6
v7.16.7
v7.16.8
v7.16.9
v7.17.0
v7.17.1
v7.17.2
v7.17.3
v7.17.4
v7.18.0
v7.18.1
v7.19.0
v7.19.1
v7.19.2
v7.19.3
v7.19.4
v7.19.5
v7.19.6
v7.19.7
v7.2.0
v7.2.1
v7.2.2
v7.2.3
v7.20.0
v7.20.1
v7.20.2
v7.20.3
v7.20.4
v7.20.5
v7.20.6
v7.20.7
v7.3.0
v7.3.1
v7.31.0
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.4.6
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6
v7.5.7
v7.6.0
v7.6.1
v7.7.0
v7.7.1
v7.7.2
v7.7.3
v7.7.4
v7.7.5
v7.7.6
v7.7.7
v7.7.8
v7.8.0
v7.9.0
v7.9.1
v8.*
v8.0.0
v8.0.1
v8.0.10
v8.0.11
v8.0.12
v8.0.13
v8.0.14
v8.0.15
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.0.8
v8.0.9
v8.1.0
v8.1.1
v8.1.2
v8.1.3
v8.10.0
v8.10.1
v8.10.2
v8.10.3
v8.10.4
v8.10.5
v8.10.6
v8.10.7
v8.11.0
v8.11.1
v8.11.2
v8.11.3
v8.11.4
v8.12.0
v8.12.1
v8.12.2
v8.12.3
v8.13.0
v8.13.1
v8.13.10
v8.13.11
v8.13.12
v8.13.13
v8.13.14
v8.13.2
v8.13.3
v8.13.4
v8.13.5
v8.13.6
v8.13.7
v8.13.8
v8.13.9
v8.14.0
v8.14.1
v8.14.2
v8.14.3
v8.14.4
v8.14.5
v8.14.6
v8.15.0
v8.15.1
v8.15.10
v8.15.2
v8.15.3
v8.15.4
v8.15.5
v8.15.6
v8.15.7
v8.15.8
v8.15.9
v8.16.0
v8.16.1
v8.16.10
v8.16.11
v8.16.12
v8.16.13
v8.16.14
v8.16.15
v8.16.16
v8.16.17
v8.16.18
v8.16.19
v8.16.2
v8.16.20
v8.16.21
v8.16.22
v8.16.3
v8.16.4
v8.16.5
v8.16.6
v8.16.7
v8.16.8
v8.16.9
v8.17.0
v8.18.0
v8.18.1
v8.18.2
v8.19.0
v8.2.0
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.2.5
v8.2.6
v8.20.0
v8.20.1
v8.20.2
v8.20.3
v8.20.4
v8.20.5
v8.21.0
v8.22.0
v8.22.1
v8.23.0
v8.23.1
v8.23.2
v8.23.3
v8.23.4
v8.23.5
v8.24.0
v8.24.1
v8.24.10
v8.24.11
v8.24.12
v8.24.13
v8.24.14
v8.24.15
v8.24.16
v8.24.2
v8.24.3
v8.24.4
v8.24.5
v8.24.6
v8.24.7
v8.24.8
v8.24.9
v8.25.0
v8.26.0
v8.26.1
v8.26.2
v8.26.3
v8.27.0
v8.27.1
v8.27.2
v8.28.0
v8.28.1
v8.28.2
v8.28.3
v8.28.4
v8.28.5
v8.28.6
v8.28.7
v8.28.8
v8.29.0
v8.29.1
v8.29.2
v8.29.3
v8.29.4
v8.29.5
v8.29.6
v8.29.7
v8.3.0
v8.3.1
v8.3.10
v8.3.11
v8.3.2
v8.3.3
v8.3.4
v8.3.5
v8.3.6
v8.3.7
v8.3.8
v8.3.9
v8.30.0
v8.31.0
v8.31.1
v8.32.0
v8.32.1
v8.36.0
v8.4.0
v8.5.0
v8.5.1
v8.5.2
v8.5.3
v8.5.4
v8.5.5
v8.5.6
v8.5.7
v8.5.8
v8.5.9
v8.6.0
v8.6.1
v8.6.2
v8.6.3
v8.6.4
v8.6.5
v8.6.6
v8.6.7
v8.6.8
v8.6.9
v8.7.0
v8.8.0
v8.8.1
v8.8.2
v8.8.3
v8.8.4
v8.8.5
v8.8.6
v8.8.7
v8.8.8
v8.9.0
v9.*
v9.0.0
v9.0.0-alpha.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9
v9.1.0
v9.1.1
v9.1.2
v9.1.3
v9.1.4
v9.1.5
v9.1.6
v9.10.0
v9.10.1
v9.11.0
v9.12.0
v9.12.1
v9.12.2
v9.12.3
v9.12.4
v9.12.5
v9.12.6
v9.12.7
v9.13.0
v9.14.0
v9.15.0
v9.16.0
v9.16.1
v9.16.2
v9.17.0
v9.17.1
v9.18.0
v9.18.1
v9.18.2
v9.18.3
v9.18.4
v9.19.0
v9.19.1
v9.19.2
v9.2.0
v9.2.1
v9.2.10
v9.2.11
v9.2.12
v9.2.13
v9.2.14
v9.2.15
v9.2.2
v9.2.3
v9.2.4
v9.2.5
v9.2.6
v9.2.7
v9.2.8
v9.2.9
v9.20.0
v9.20.1
v9.21.0
v9.21.1
v9.22.0
v9.23.0
v9.23.1
v9.23.2
v9.23.3
v9.3.0
v9.3.1
v9.4.0
v9.4.1
v9.4.2
v9.4.3
v9.4.4
v9.4.5
v9.5.0
v9.5.1
v9.5.2
v9.5.3
v9.5.4
v9.5.5
v9.5.6
v9.5.7
v9.6.0
v9.6.1
v9.6.2
v9.6.3
v9.6.4
v9.7.0
v9.7.1
v9.7.2
v9.7.3
v9.8.0
v9.9.0
v9.9.1
v9.9.2
v9.9.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25244.json"