Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-7411: Eclipse BaSyx Java Server SDK: Unauthenticated File Writing
CVE-2026-7411
GHSA-8gpm-h2mh-36qc
Summary
The Eclipse BaSyx Java Server SDK, used in certain applications, has a security flaw that allows an attacker to write files anywhere on the computer. This could potentially let an attacker take control of the entire system. To fix this, update the SDK to version 2.0.0-milestone-10 or later.
What to do
- Update org.eclipse.basyx:basyx.sdk to version 2.0.0-milestone-10.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | – | org.eclipse.basyx:basyx.sdk |
< 2.0.0-milestone-10 Fix: upgrade to 2.0.0-milestone-10
|
Original title
Eclipse BaSyx Java Server SDK vulnerable to Path Traversal
Original description
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.
nvd CVSS3.1
10.0
Vulnerability type
CWE-22
Path Traversal
Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 5 May 2026