Vendor
A command injection vulnerability (CVE-2026-25244) in `@wdio/browserstack-service` allows remote code execution (RCE) by processing malicious git branch names in test orchestration, where an attacker can inject shell commands via a crafted git repository.