Unauthenticated File Write Vulnerability in Eclipse BaSyx Java Server SDK
CVE-2026-57898
9CRITICAL
What is CVE-2026-57898?
The Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12 contain a vulnerability that allows unauthenticated remote attackers to upload arbitrary files to the server. This occurs through the AAS thumbnail API, where the filename parameter is not properly sanitized. An attacker can exploit this flaw by crafting a request with an absolute or traversal-style path that gets processed directly as a file path on the server. As a result, files may be written to any location the Java process has permission to access, potentially leading to remote code execution. This issue is mitigated in version 2.0.0-milestone-13.
Affected Version(s)
Eclipse BaSyx - Java Server SDK 2.0.0-milestone-05 < 2.0.0-milestone-13
