Search criteria
1 vulnerability found for PlaywrightCapture by LookyLoo
GCVE-1-2026-0028
Vulnerability from gna-1 – Published: 2026-04-29 19:28 – Updated: 2026-04-29 19:28
VLAI?
Title
LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture
Summary
PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses.
In deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs.
The patch mitigates the issue by introducing request routing checks that block secondary requests to local files, non-global IP addresses, and .local domains when only_global_lookup is enabled, while still allowing the originally requested capture URL.
Severity ?
CWE
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LookyLoo | PlaywrightCapture |
Affected:
0 , < 1.39.6
(semver)
|
Credits
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PlaywrightCapture",
"vendor": "LookyLoo",
"versions": [
{
"lessThan": "1.39.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Raphael Vinot"
},
{
"lang": "en",
"type": "finder",
"value": "Jeroen Gui"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as \u003ccode\u003ewindow.location.href\u003c/code\u003e, to make the capture process open \u003ccode\u003efile://\u003c/code\u003e URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses.\u003c/p\u003e\n\u003cp\u003eIn deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs.\u003c/p\u003e\n\u003cp\u003eThe patch mitigates the issue by introducing request routing checks that block secondary requests to local files, non-global IP addresses, and \u003ccode\u003e.local\u003c/code\u003e domains when \u003ccode\u003eonly_global_lookup\u003c/code\u003e is enabled, while still allowing the originally requested capture URL.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. An attacker-controlled page could abuse browser-side redirection mechanisms, such as window.location.href, to make the capture process open file:// URLs or request resources hosted on private, loopback, link-local, or otherwise non-public IP addresses.\n\n\nIn deployments where PlaywrightCapture processes untrusted URLs, this could allow a remote attacker to perform server-side request forgery against internal services or attempt to access local files from the capture environment. Depending on what capture artifacts are generated and exposed, responses from those resources could potentially be leaked through screenshots, saved page content, logs, or other capture outputs.\n\n\nThe patch mitigates the issue by introducing request routing checks that block secondary requests to local files, non-global IP addresses, and .local domains when only_global_lookup is enabled, while still allowing the originally requested capture URL."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Lookyloo/PlaywrightCapture/commit/49e289eba756e4fbac1322c33cfd111411562405"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0028"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-04-29T19:28:00.000Z",
"dateUpdated": "2026-04-29T19:28:44.316023Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0028",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T19:28:20.659212Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-04-29T19:28:44.316023Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}