Command Injection Vulnerability in BOSH by Cloud Foundry
CVE-2026-41011
8.7HIGH
What is CVE-2026-41011?
A command injection vulnerability exists in BOSH due to improper validation of package names. The issue arises when the package name, sourced directly from the uploaded tarball's metadata, is executed without appropriate escaping. This flaw enables an attacker to craft malicious package names that could lead to arbitrary command execution on the server, as the validation occurs too late in the process. All versions of BOSH prior to v282.1.12 are affected, underscoring the importance of updating to the patched version to mitigate potential risks.
Affected Version(s)
BOSH 0 < 282.1.12
