CVE-2026-7411

Name of the Vulnerable Software and Affected Versions Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10

Description Inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE), which is the ability to execute arbitrary commands on a target machine, and complete system compromise.

Recommendations Update to version 2.0.0-milestone-10 or later. Avoid using the fileName parameter in the Submodel HTTP API for file uploads until the update is applied.