Unauthenticated File Write Vulnerability in Eclipse BaSyx Java Server SDK
CVE-2026-57898

9CRITICAL

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-57898?

The Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12 contain a vulnerability that allows unauthenticated remote attackers to upload arbitrary files to the server. This occurs through the AAS thumbnail API, where the filename parameter is not properly sanitized. An attacker can exploit this flaw by crafting a request with an absolute or traversal-style path that gets processed directly as a file path on the server. As a result, files may be written to any location the Java process has permission to access, potentially leading to remote code execution. This issue is mitigated in version 2.0.0-milestone-13.

Affected Version(s)

Eclipse BaSyx - Java Server SDK 2.0.0-milestone-05 < 2.0.0-milestone-13

References

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.