Command Injection Vulnerability in BOSH by Cloud Foundry
CVE-2026-41011

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-41011?

A command injection vulnerability exists in BOSH due to improper validation of package names. The issue arises when the package name, sourced directly from the uploaded tarball's metadata, is executed without appropriate escaping. This flaw enables an attacker to craft malicious package names that could lead to arbitrary command execution on the server, as the validation occurs too late in the process. All versions of BOSH prior to v282.1.12 are affected, underscoring the importance of updating to the patched version to mitigate potential risks.

Affected Version(s)

BOSH 0 < 282.1.12

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.