CVE-2026-7411

Daily digests

An unauthenticated attacker can upload files to any location on the filesystem by abusing a path traversal bug in the Eclipse BaSyx Java Server SDK's Submodel HTTP API. A crafted fileName parameter during file upload lets the attacker write outside the intended directory, which leads directly to remote code execution. This is a CVSS 10.0: no authentication, no user interaction, full system compromise.

• Daily Digest · May 6, 2026

  Eclipse BaSyx CVSS 10 RCE + 4 critical bugs