Is there a public PoC exploit available for CVE-2026-11408?

Yes, a public proof-of-concept exploit is available for CVE-2026-11408. Prioritise patching immediately. EPSS: 0.9%.

Is there a patch available for CVE-2026-11408?

Yes, a patch is available for CVE-2026-11408. Update the affected software to the latest version immediately.

vertex-app vertex CVE-2026-11408

Q: What is the CVSS score of CVE-2026-11408?

CVE-2026-11408 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.9%.

EUVD-2026-34965 LOW

OS Command Injection (CWE-78)

2026-06-06 VulDB

GHSA-cx7v-5xwm-4mqw

Command Injection Vertex

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Jun 06, 2026 - 11:22 NVD

MEDIUM LOW

CVSS changed

Jun 06, 2026 - 11:22 NVD

6.3 (MEDIUM) 2.1 (LOW)

Source Code Evidence Fetched

Jun 06, 2026 - 11:16 vuln.today

Analysis Generated

Jun 06, 2026 - 11:16 vuln.today

DescriptionCVE.org

A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The name of the patch is 805d82e7100d49b79b3beb1b9420e8e458987198. It is best practice to apply a patch to resolve this issue.

AnalysisAI

OS command injection in vertex-app vertex (all versions through 2026.02.12) allows remote low-privileged authenticated users to execute arbitrary operating system commands via the Log Viewer Endpoint. The root cause is direct interpolation of the user-controlled req.query.type parameter into a shell-executed execSync() call in app/model/LogMod.js, enabling shell metacharacter injection without any sanitization or allowlist validation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privilege authenticated session

Delivery

Send HTTP GET to Log Viewer Endpoint with crafted 'type' parameter

Exploit

Inject shell metacharacters into execSync() template literal

Execution

Node.js spawns /bin/sh executing injected command

Impact

Read sensitive files or establish reverse shell as app process user