CVE-2026-7411
🟠 Łataj w tym tygodniu
Nieprawidłowa normalizacja ścieżek w Eclipse BaSyx pozwala na atak typu traversal i zdalne wykonanie kodu.
CVSS
10.0
EPSS
0.1%
Exploit
none
Vendor
Opis źródłowy (NVD)
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.
path-traversal rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 10.0 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-05-05 16:16:18 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-06 16:16:12 UTC |
Referencje
- https://gitlab.eclipse.org/security/cve-assignment/-/issues/102 (emo@eclipse.org)
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 (emo@eclipse.org)