Is there a public PoC exploit available for CVE-2026-6860?

Yes, a public proof-of-concept exploit is available for CVE-2026-6860. Prioritise patching immediately. EPSS: 0.0%.

Eclipse Vert.x CVE-2026-6860

Q: What is the CVSS score of CVE-2026-6860?

CVE-2026-6860 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-27655 MEDIUM

Improper Certificate Validation (CWE-295)

2026-05-06 emo@eclipse.org

GHSA-3g76-f9xq-8vp6

Information Disclosure

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 06, 2026 - 10:30 vuln.today

Analysis Generated

May 06, 2026 - 10:30 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2,106 maven packages depend on io.vertx:vertx-core (166 direct, 1,940 indirect)

Ecosystem-wide dependent count for version 4.3.4.

DescriptionNVD

A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

AnalysisAI

Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6860 vulnerability details – vuln.today

Back

Eclipse Vert.x CVE-2026-6860

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

Share

Eclipse Vert.x CVE-2026-6860

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code