Skip to main content

Eclipse Basyx Java Server Sdk

1 CVEs product

Monthly

CVE-2026-57898 CRITICAL PATCH Act Now

Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.

Path Traversal RCE Java Eclipse Basyx Java Server Sdk
NVD VulDB
CVSS 3.1
9.0
EPSS
0.4%
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Unauthenticated arbitrary file write in Eclipse BaSyx Java Server SDK (2.0.0-milestone-05 through 2.0.0-milestone-12) lets remote attackers plant files anywhere the Java process can write when the server is deployed with the MongoDB file backend, potentially escalating to remote code execution. The AAS thumbnail API trusts a client-supplied fileName that is later reused as a filesystem path, so a traversal or absolute-path filename lands attacker-controlled bytes outside the intended directory. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-fixed release (2.0.0-milestone-13) is available.

Path Traversal RCE Java +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy