CVE-2026-7412HIGH 8.6EPSS p39.7%

CVE-2026-7412CVE-2026-7412

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.52% probability of exploitation · percentile 39.7% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-06

Underlying weaknesses· 1

CWE-918

References

  1. https://gitlab.eclipse.org/security/cve-assignment/-/issues/103
  2. https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423
  3. https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7411
CVE
CVE-2025-22426
CVE
CVE-2025-10611
CVE
CVE-2026-5936
CVE
CVE-2025-42922
CVE
CVE-2025-45854
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.