CVE-2026-44439

Source
https://cve.org/CVERecord?id=CVE-2026-44439
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44439.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44439
Aliases
Published
2026-05-13T21:29:24.581Z
Modified
2026-07-15T01:48:50.607903678Z
Severity
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture
Details

PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses. In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs. This vulnerability is fixed in 1.39.6.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44439.json"
}
References

Affected packages

Git / github.com/lookyloo/playwrightcapture

Affected ranges

Type
GIT
Repo
https://github.com/lookyloo/playwrightcapture
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:lookyloo:playwright_capture:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.39.6"
        }
    ]
}

Affected versions

v0.*
v0.2.0
v0.2.2
v1.*
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.13.4
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.15.0
v1.15.1
v1.15.10
v1.15.2
v1.15.3
v1.15.5
v1.15.6
v1.15.7
v1.15.8
v1.15.9
v1.16.0
v1.16.1
v1.16.10
v1.16.11
v1.16.2
v1.16.3
v1.16.4
v1.16.5
v1.16.6
v1.16.7
v1.16.8
v1.16.9
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.17.6
v1.18.0
v1.19.0
v1.19.1
v1.19.10
v1.19.11
v1.19.12
v1.19.13
v1.19.14
v1.19.15
v1.19.16
v1.19.2
v1.19.3
v1.19.4
v1.19.5
v1.19.6
v1.19.7
v1.19.8
v1.19.9
v1.20.0
v1.20.1
v1.20.10
v1.20.2
v1.20.3
v1.20.4
v1.20.5
v1.20.6
v1.20.7
v1.20.8
v1.20.9
v1.21.0
v1.21.1
v1.21.10
v1.21.11
v1.21.2
v1.21.3
v1.21.4
v1.21.6
v1.21.7
v1.21.8
v1.21.9
v1.22.0
v1.22.1
v1.22.3
v1.22.4
v1.22.5
v1.22.6
v1.22.7
v1.22.8
v1.23.0
v1.23.1
v1.23.10
v1.23.11
v1.23.12
v1.23.13
v1.23.14
v1.23.2
v1.23.3
v1.23.4
v1.23.5
v1.23.6
v1.23.7
v1.23.8
v1.23.9
v1.24.0
v1.24.1
v1.24.10
v1.24.11
v1.24.2
v1.24.3
v1.24.4
v1.24.5
v1.24.6
v1.24.7
v1.24.8
v1.24.9
v1.25.0
v1.25.1
v1.25.10
v1.25.11
v1.25.12
v1.25.13
v1.25.14
v1.25.15
v1.25.2
v1.25.3
v1.25.4
v1.25.5
v1.25.6
v1.25.7
v1.25.8
v1.25.9
v1.26.0
v1.26.1
v1.26.2
v1.26.3
v1.27.0
v1.27.1
v1.27.2
v1.27.3
v1.27.4
v1.27.5
v1.27.6
v1.27.7
v1.27.8
v1.27.9
v1.28.0
v1.28.1
v1.28.2
v1.28.3
v1.28.4
v1.28.5
v1.28.6
v1.29.0
v1.29.1
v1.29.2
v1.29.3
v1.30.0
v1.31.0
v1.31.1
v1.31.2
v1.31.3
v1.31.4
v1.31.5
v1.31.6
v1.31.7
v1.32.0
v1.32.1
v1.32.2
v1.32.3
v1.32.4
v1.32.5
v1.33.0
v1.34.0
v1.34.1
v1.34.2
v1.34.3
v1.34.4
v1.34.5
v1.35.0
v1.35.1
v1.36.0
v1.36.1
v1.36.10
v1.36.2
v1.36.3
v1.36.4
v1.36.5
v1.36.6
v1.36.7
v1.36.8
v1.36.9
v1.37.0
v1.37.1
v1.37.2
v1.37.3
v1.38.0
v1.39.0
v1.39.1
v1.39.2
v1.39.3
v1.39.4
v1.39.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44439.json"