VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

Authenticated OS Command Injection in Bondix

CVE-2026-12104

Description

OS command injection in the environment and tunnel configuration functionality in SIMA GmbH Bondix through version 1.25.7.5 on Linux allows an authenticated attacker with configuration write access to execute arbitrary operating-system commands via crafted configuration values passed to server-side scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization in server-side scripts that process environment and tunnel configuration values allows OS command injection."

Attack vector

An authenticated attacker with configuration write access sends specially crafted configuration values through the environment or tunnel configuration interface. These values are passed unsanitized to server-side scripts that execute operating-system commands, resulting in OS command injection [CWE-78]. The attack is network-accessible and requires high privileges but no user interaction.

Affected code

The vulnerability resides in the environment and tunnel configuration functionality of Bondix Server on Linux. Server-side scripts process configuration values without proper sanitization, allowing crafted inputs to reach a shell execution context.

What the fix does

The advisory states the issue is fixed in Bondix Server version 1.25.7.6. No patch diff is provided in the bundle, but the recommended action is to upgrade to that version or later. The fix presumably sanitizes or escapes configuration values before they are passed to shell execution contexts, preventing injection of arbitrary commands.

Preconditions

  • authThe attacker must have an authenticated session with configuration write access to the Bondix Server instance.
  • configThe Bondix Server must be running on Linux and be at version 1.25.7.5 or earlier.
  • networkThe attacker must be able to reach the Bondix Server over the network.
  • inputThe attacker must submit crafted configuration values through the environment or tunnel configuration interface.

Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.