CVE-2026-11408
Description
Vertex app versions prior to 2026.02.12 are vulnerable to OS command injection via the log viewer endpoint, allowing remote attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vertex app versions prior to 2026.02.12 are vulnerable to OS command injection via the log viewer endpoint, allowing remote attackers to execute arbitrary commands.
Vulnerability
A vulnerability exists in vertex-app vertex up to version 2026.02.12, specifically within the Log Viewer Endpoint's file processing in app/model/LogMod.js. The type parameter from req.query is directly incorporated into a shell command executed by execSync without proper sanitization or escaping, leading to OS command injection.
Exploitation
An attacker can exploit this vulnerability remotely. The attack requires the attacker to induce a logged-in administrator to visit a crafted URL. This is possible because the application does not implement CSRF protections for this action. A payload such as /api/log/get?type=$(touch /tmp/poc) can be used to trigger arbitrary command execution [3].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands on the server. This can lead to a full compromise of the affected system, depending on the privileges of the running Vertex application process.
Mitigation
The vulnerability is fixed in commit 805d82e7100d49b79b3beb1b9420e8e458987198 [2]. It is recommended to apply this patch to resolve the issue. No information regarding specific version numbers for the patched release or workarounds is available in the provided references.
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2026.02.12
Patches
13 files changed · +22 −8
app/model/LogMod.js+15 −4 modified@@ -1,13 +1,24 @@ -const { execSync } = require('child_process'); +const { spawnSync } = require('child_process'); const path = require('path'); const fs = require('fs'); const logger = require('../libs/logger'); class LogMod { get (options) { - const logFile = path.join(__dirname, `../../logs/app-${options.type}.log`); - const log = execSync(`tail -n 2000 ${logFile}`).toString(); - return log; + if (['error', 'info', 'debug', 'watch', 'watchdebug', 'binge', 'bingedebug', 'advanceddebug', 'advanced', 'scdebug', 'sc'].includes(options.type)) { + try { + const logFile = path.join(__dirname, `../../logs/app-${options.type}.log`); + if (!fs.existsSync(logFile)) { + return '日志文件尚不存在'; + } + const log = spawnSync('tail', ['-n', '2000', logFile]); + return log.stdout.toString(); + } catch (e) { + logger.error(e); + return '读取日志时发生错误'; + } + } + return '不支持的日志类型'; }; clear () {
app/model/TorrentMod.js+5 −3 modified@@ -1,6 +1,7 @@ const util = require('../libs/util'); const logger = require('../libs/logger'); const path = require('path'); +const { spawnSync } = require('child_process'); class TorrentMod { async list (options) { @@ -557,11 +558,12 @@ class TorrentMod { for (const file of options.files) { const { server, filepath } = file; try { - logger.info(global.runningServer[server].server.alias, '执行删除文件命令:', `rm -f $'${filepath}'`); + const _filepath = filepath.replace(/'/g, '\\\''); + logger.info(global.runningServer[server].server.alias, '执行删除文件命令:', `rm -f $'${_filepath}'`); if (server === '$local') { - await util.exec(`rm -f $'${filepath}'`); + spawnSync('rm', ['-f', filepath]); } else { - await global.runningServer[server].run(`rm -f $'${filepath}'`); + await global.runningServer[server].run(`rm -f $'${_filepath}'`); } } catch (e) { isError = true;
app/routes/router.js+2 −1 modified@@ -130,7 +130,8 @@ module.exports = function (app, express, router) { store: new RedisStore(redisConfig), secret: 'sses:xetrev', cookie: { - maxAge: 1000 * 60 * 60 * 24 * 30 + maxAge: 1000 * 60 * 60 * 24 * 30, + sameSite: 'lax' } })); app.use('/api', express.text({ type: 'text/xml' }));
Vulnerability mechanics
Root cause
"The application passes user-controlled input directly into a shell command without proper sanitization or validation."
Attack vector
An attacker can exploit this vulnerability by sending a crafted GET request to the log viewer endpoint. The `type` parameter in the request query is directly incorporated into a shell command executed by `execSync`. This allows the attacker to inject arbitrary shell commands, which are then executed on the server. The exploit is publicly available and can be executed remotely by an unauthenticated attacker [ref_id=3].
Affected code
The vulnerability resides in the `get` method of `app/model/LogMod.js`. This method constructs a log file path using the `options.type` parameter and then executes a shell command using `execSync` to read the log file. The patch modifies this file, replacing `execSync` with `spawnSync` and adding input validation for the `type` parameter [patch_id=5011601].
What the fix does
The patch replaces the use of `execSync` with `spawnSync` for executing the `tail` command. Additionally, it introduces input validation to ensure that the `options.type` parameter is one of the allowed log types. This prevents arbitrary command injection by ensuring that only safe commands are executed and that the input is validated before being used in a command context [patch_id=5011601].
Preconditions
- authThe attacker needs to be authenticated as an administrator to trigger the vulnerability [ref_id=3].
- networkThe vulnerability is remotely exploitable.
- inputThe attacker must control the `type` parameter in the GET request query.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- drive.google.com/drive/folders/1DO-kB1eUoB1CksJ_ZKzpUaX0kp5Rgm_Tnvd
- gist.github.com/menelausx/e632faba4014474fcef6a1f541ca3e4envd
- github.com/vertex-app/vertex/commit/805d82e7100d49b79b3beb1b9420e8e458987198nvd
- vuldb.com/cve/CVE-2026-11408nvd
- vuldb.com/submit/818442nvd
- vuldb.com/vuln/368967nvd
- vuldb.com/vuln/368967/ctinvd
News mentions
0No linked articles in our index yet.