CVE-2026-7411 - Vulnerability-Lookup

Cancel<br>OK

Success

Action not permitted

Modal body text goes here.

Close

Modal Title

Modal Body

Source (Optional)

Cancel<br>Confirm

CVE-2026-7411

(GCVE-0-2026-7411)

Vulnerability from<br>cvelistv5 –<br>Published:<br>2026-05-05 14:07 –<br>Updated:<br>2026-05-06 15:25

About the model.'><br>VLAI?

About the model.'><br>EPSS

Summary<br>In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

About CVSS'><br>Severity ?

10 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-22

- Improper Limitation of a Pathname to a Restricted Directory

Assigner

eclipse

References

2 references

URL<br>Tags

https://gitlab.eclipse.org/security/vulnerability…

https://gitlab.eclipse.org/security/cve-assignmen…

Impacted products

1 product

Vendor<br>Product<br>Version

Eclipse Foundation<br>Eclipse BaSyx

Affected:<br>0 , (custom)

Create a notification for this product.

Credits

Mohamed Lemine Ahmed Jidou (AegisSec)

Show details on NVD website

JSON

Share

Hacker News

LinkedIn

Mastodon

Pinboard

Reddit

To clipboard

"containers": {<br>"adp": [<br>"metrics": [<br>"other": {<br>"content": {<br>"id": "CVE-2026-7411",<br>"options": [<br>"Exploitation": "poc"<br>},<br>"Automatable": "yes"<br>},<br>"Technical Impact": "total"<br>],<br>"role": "CISA Coordinator",<br>"timestamp": "2026-05-05T17:01:53.279261Z",<br>"version": "2.0.3"<br>},<br>"type": "ssvc"<br>],<br>"providerMetadata": {<br>"dateUpdated": "2026-05-06T15:25:50.007Z",<br>"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",<br>"shortName": "CISA-ADP"<br>},<br>"references": [<br>"tags": [<br>"exploit"<br>],<br>"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"<br>],<br>"title": "CISA ADP Vulnrichment"<br>],<br>"cna": {<br>"affected": [<br>"defaultStatus": "unaffected",<br>"product": "Eclipse BaSyx",<br>"vendor": "Eclipse Foundation",<br>"versions": [<br>"lessThan": "2.0.0-milestone-10",<br>"status": "affected",<br>"version": "0",<br>"versionType": "custom"<br>],<br>"credits": [<br>"lang": "en",<br>"type": "finder",<br>"value": "Mohamed Lemine Ahmed Jidou (AegisSec)"<br>],<br>"descriptions": [<br>"lang": "en",<br>"supportingMedia": [<br>"base64": false,<br>"type": "text/html",<br>"value": "In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted \u003ccode\u003efileName\u003c/code\u003e parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise."<br>],<br>"value": "In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise."<br>],<br>"metrics": [<br>"cvssV3_1": {<br>"attackComplexity": "LOW",<br>"attackVector": "NETWORK",<br>"availabilityImpact": "HIGH",<br>"baseScore": 10,<br>"baseSeverity": "CRITICAL",<br>"confidentialityImpact": "HIGH",<br>"integrityImpact": "HIGH",<br>"privilegesRequired": "NONE",<br>"scope": "CHANGED",<br>"userInteraction": "NONE",<br>"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",<br>"version": "3.1"<br>},<br>"format": "CVSS",<br>"scenarios": [<br>"lang": "en",<br>"value": "GENERAL"<br>],<br>"problemTypes": [<br>"descriptions": [<br>"cweId": "CWE-22",<br>"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory",<br>"lang": "en",<br>"type": "CWE"<br>],<br>"providerMetadata": {<br>"dateUpdated": "2026-05-05T14:07:53.476Z",<br>"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",<br>"shortName": "eclipse"<br>},<br>"references": [<br>"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"<br>},<br>"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/102"<br>],<br>"source": {<br>"discovery": "UNKNOWN"<br>},<br>"x_generator": {<br>"engine": "Vulnogram 1.0.2"<br>},<br>"cveMetadata": {<br>"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",<br>"assignerShortName": "eclipse",<br>"cveId": "CVE-2026-7411",<br>"datePublished": "2026-05-05T14:07:53.476Z",<br>"dateReserved": "2026-04-29T13:21:00.646Z",<br>"dateUpdated": "2026-05-06T15:25:50.007Z",<br>"state": "PUBLISHED"<br>},<br>"dataType": "CVE_RECORD",<br>"dataVersion": "5.2",<br>"vulnerability-lookup:meta": {<br>"epss":...