CVE-2026-41011

HIGH 8.2

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

5th

PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x{} — i.e., /bin/sh -c. No Shellwords.escape is applied. The Models::Package Sequel validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) would reject the name, but in create_package (lines 74–79) the shell-out in save_package_source_blob runs before package.save, so validation fires too late. Affected versions: - BOSH: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later

CWE	CWE-78
Vendor	cloud foundry foundation
Product	bosh
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for cloud foundry foundation bosh

Be the first to know when new high vulnerabilities affecting cloud foundry foundation bosh are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Cloud Foundry Foundation / BOSH

0 < 282.1.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cloudfoundry.org: https://www.cloudfoundry.org/blog/cve-2026-41011-package-name-command-injection/