PT-2026-57990 · Mongodb+1 · Mongodb+1

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-57898

CVSS v3.1

9.0

Critical

VectorAV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 through 2.0.0-milestone-12
Description Deployments using the MongoDB backend are subject to an unauthenticated arbitrary file write via the AAS thumbnail API. The issue occurs because the thumbnail upload path accepts a client-controlled fileName request parameter, which is used as a repository key and later as a local filesystem path during retrieval. When using the MongoDB file repository, the fileName is treated as an opaque GridFS key and is not normalized or restricted. A remote attacker can upload content using an absolute or traversal-style filename and trigger retrieval to write bytes to an arbitrary path on the server filesystem where the Java process has write permissions, potentially leading to remote code execution.
Recommendations Update to version 2.0.0-milestone-13.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57898

Affected Products

Eclipse Basyx Java Server Sdk
Mongodb