RCE in Shopify Tophat

CVE-2026-39862

Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.003 (57.5th percentile) — read the EPSS interpretation.

Affected products

Shopify Tophat — versions < 2.5.1

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/Shopify/tophat/security/advisories/GHSA-8x8g-6rv5-mgg2 (x_refsource_CONFIRM)
https://github.com/Shopify/tophat/pull/139 (x_refsource_MISC)