CVE-2026-7411

CRITICAL 10.0

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

CWE	CWE-22
Vendor	eclipse foundation
Product	eclipse basyx
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for eclipse foundation eclipse basyx

Be the first to know when new critical vulnerabilities affecting eclipse foundation eclipse basyx are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Eclipse Foundation / Eclipse BaSyx

0 < 2.0.0-milestone-10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gitlab.eclipse.org: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 gitlab.eclipse.org: https://gitlab.eclipse.org/security/cve-assignment/-/issues/102

Credits

Mohamed Lemine Ahmed Jidou (AegisSec)