Critical severity10.0NVD Advisory· Published May 5, 2026· Updated May 6, 2026

CVE-2026-7411

Description

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.eclipse.basyx:basyx.sdkMaven	< 2.0.0-milestone-10	2.0.0-milestone-10

Affected products

Eclipse Basyx/Java Sdkinferred
Range: <2.0.0-milestone-10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8gpm-h2mh-36qcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7411ghsaADVISORY
gitlab.eclipse.org/security/cve-assignment/-/issues/102nvdWEB
gitlab.eclipse.org/security/vulnerability-reports/-/issues/423nvdWEB

News mentions

ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories
The Hacker News · May 7, 2026

cvss	0.650
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000