CVE-2026-7411

N/A

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

对路径名的限制不恰当(路径遍历)

Eclipse BaSyx Java Server SDK 路径遍历漏洞

Eclipse BaSyx Java Server SDK是Eclipse基金会的一个工业数字化开发工具包。 Eclipse BaSyx Java Server SDK 2.0.0-milestone-10之前版本存在路径遍历漏洞，该漏洞源于Submodel HTTP API中路径规范化不足，可能导致未经身份验证的远程攻击者通过特制的fileName参数绕过存储边界，将任意文件写入Java进程可访问的主机文件系统，从而导致远程代码执行和系统完全受损。

N/A

N/A