PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses. In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs. This vulnerability is fixed in 1.39.6.
References
Configurations
History
28 May 2026, 17:37
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/Lookyloo/PlaywrightCapture/commit/49e289eba756e4fbac1322c33cfd111411562405 - Patch | |
| References | () https://github.com/Lookyloo/PlaywrightCapture/security/advisories/GHSA-687h-xw6f-q2qw - Vendor Advisory | |
| First Time |
Lookyloo playwright Capture
Lookyloo |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CPE | cpe:2.3:a:lookyloo:playwright_capture:*:*:*:*:*:*:*:* |
13 May 2026, 22:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-13 22:16
Updated : 2026-05-28 17:37
NVD link : CVE-2026-44439
Mitre link : CVE-2026-44439
CVE.ORG link : CVE-2026-44439
JSON object : View
Products Affected
lookyloo
- playwright_capture
CWE
CWE-918
Server-Side Request Forgery (SSRF)