Vertex
Monthly
OS command injection in vertex-app vertex (all versions through 2026.02.12) allows remote low-privileged authenticated users to execute arbitrary operating system commands via the Log Viewer Endpoint. The root cause is direct interpolation of the user-controlled `req.query.type` parameter into a shell-executed `execSync()` call in `app/model/LogMod.js`, enabling shell metacharacter injection without any sanitization or allowlist validation. A publicly available proof-of-concept exists on GitHub Gist and Google Drive; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but the CVSS temporal score includes E:P (proof-of-concept) and RC:C (confirmed), elevating real-world urgency.
OS command injection in vertex-app vertex (all versions through 2026.02.12) allows remote low-privileged authenticated users to execute arbitrary operating system commands via the Log Viewer Endpoint. The root cause is direct interpolation of the user-controlled `req.query.type` parameter into a shell-executed `execSync()` call in `app/model/LogMod.js`, enabling shell metacharacter injection without any sanitization or allowlist validation. A publicly available proof-of-concept exists on GitHub Gist and Google Drive; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but the CVSS temporal score includes E:P (proof-of-concept) and RC:C (confirmed), elevating real-world urgency.