CVE-2026-7411CRITICAL 10.0EPSS p88.2%

CVE-2026-7411CVE-2026-7411

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS3.68% probability of exploitation · percentile 88.2% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-06

Underlying weaknesses· 1

CWE-22

References

  1. https://gitlab.eclipse.org/security/cve-assignment/-/issues/102
  2. https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423
  3. https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7412
CVE
CVE-2026-2623
CVE
CVE-2025-41735
CVE
CVE-2025-42922
CVE
CVE-2025-57790
CVE
CVE-2026-5027
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.