PT-2026-57990 · Mongodb+1 · Mongodb+1
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-57898
CVSS v3.1
9.0
Critical
| Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 through 2.0.0-milestone-12
Description
Deployments using the MongoDB backend are subject to an unauthenticated arbitrary file write via the AAS thumbnail API. The issue occurs because the thumbnail upload path accepts a client-controlled
fileName request parameter, which is used as a repository key and later as a local filesystem path during retrieval. When using the MongoDB file repository, the fileName is treated as an opaque GridFS key and is not normalized or restricted. A remote attacker can upload content using an absolute or traversal-style filename and trigger retrieval to write bytes to an arbitrary path on the server filesystem where the Java process has write permissions, potentially leading to remote code execution.Recommendations
Update to version 2.0.0-milestone-13.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Eclipse Basyx Java Server Sdk
Mongodb