Skip to main content

Bosh Director

1 CVEs product

Monthly

CVE-2026-41010 HIGH PATCH This Week

Command injection in Cloud Foundry BOSH Director (all versions prior to v282.1.12) allows an authenticated release uploader to achieve arbitrary OS command execution on the Director by embedding shell metacharacters in the jobs[].name field of a release.MF manifest inside an uploaded tarball. The unsafe value flows from ReleaseJob#unpack into a /bin/sh -c invocation via Bosh::Common::Exec.sh, so payloads such as $(...) or ; are interpreted by the shell during release unpacking. No public exploit identified at time of analysis; no CISA KEV listing, but the Cloud Foundry Foundation has published an advisory and a fixed release.

Command Injection Bosh Director
NVD
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection in Cloud Foundry BOSH Director (all versions prior to v282.1.12) allows an authenticated release uploader to achieve arbitrary OS command execution on the Director by embedding shell metacharacters in the jobs[].name field of a release.MF manifest inside an uploaded tarball. The unsafe value flows from ReleaseJob#unpack into a /bin/sh -c invocation via Bosh::Common::Exec.sh, so payloads such as $(...) or ; are interpreted by the shell during release unpacking. No public exploit identified at time of analysis; no CISA KEV listing, but the Cloud Foundry Foundation has published an advisory and a fixed release.

Command Injection Bosh Director
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy