Description
A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The name of the patch is 805d82e7100d49b79b3beb1b9420e8e458987198. It is best practice to apply a patch to resolve this issue.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves unintended processing of the LogMod.js module in the Log Viewer Endpoint of vertex-app vertex. By sending a crafted value in the query string parameter of a request, an attacker can control the content that is passed to an operating system command, resulting in OS command injection and allowing execution of arbitrary shell commands on the underlying host.

Affected Systems

Affected systems are deployments of the vertex-app vertex application, any version up to and including 2026.02.12. The vulnerability originates from the Log Viewer Endpoint component and is triggered through unchecked req.query handling.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the lack of an EPSS score and absence from CISA KEV suggest the threat is not yet widely exploited. However, the publicly available exploit and remote nature of the attack raise concern. The attacker can gain command execution with the privileges of the web service, potentially compromising confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 6, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch corresponding to commit 805d82e7100d49b79b3beb1b9420e8e458987198 or upgrade to a version newer than 2026.02.12.
  • Sanitize and validate any query parameters before they are incorporated into operating‑system commands within LogMod.js.
  • Run the Log Viewer Endpoint under the least privilege principle, restricting the service account’s system command permissions and disabling unnecessary command execution capabilities.

Generated by OpenCVE AI on June 6, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The name of the patch is 805d82e7100d49b79b3beb1b9420e8e458987198. It is best practice to apply a patch to resolve this issue.
Title vertex-app vertex Log Viewer Endpoint LogMod.js os command injection
First Time appeared Vertex-app
Vertex-app vertex
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:vertex-app:vertex:*:*:*:*:*:*:*:*
Vendors & Products Vertex-app
Vertex-app vertex
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Vertex-app Vertex
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-06T10:30:10.757Z

Reserved: 2026-06-05T18:33:57.349Z

Link: CVE-2026-11408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T11:16:48.347

Modified: 2026-06-06T11:16:48.347

Link: CVE-2026-11408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T12:30:20Z

Weaknesses