CVE-2026-11408

vertex-app vertex Log Viewer Endpoint LogMod.js os command injection

Assigner: VulDB
Reserved: 05.06.2026 Published: 06.06.2026 Updated: 06.06.2026

A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The name of the patch is 805d82e7100d49b79b3beb1b9420e8e458987198. It is best practice to apply a patch to resolve this issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
CVSS Score: 6.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
CVSS Score: 6.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.0

CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C
CVSS Score: 6.5

Access Vector	Network	Confidentiality Impact	Partial
Access Complexity	Low	Integrity Impact	Partial
Authentication	Single	Availability Impact	Partial

CVSS 2.0

Product Status

Vendor	vertex-app
Product	vertex
Versions	Version 2026.02.0 is affected Version 2026.02.1 is affected Version 2026.02.2 is affected Version 2026.02.3 is affected Version 2026.02.4 is affected Version 2026.02.5 is affected Version 2026.02.6 is affected Version 2026.02.7 is affected Version 2026.02.8 is affected Version 2026.02.9 is affected Version 2026.02.10 is affected Version 2026.02.11 is affected Version 2026.02.12 is affected

Vendor

vertex-app

Product

vertex

Versions

Version 2026.02.0 is affected
Version 2026.02.1 is affected
Version 2026.02.2 is affected
Version 2026.02.3 is affected
Version 2026.02.4 is affected
Version 2026.02.5 is affected
Version 2026.02.6 is affected
Version 2026.02.7 is affected
Version 2026.02.8 is affected
Version 2026.02.9 is affected
Version 2026.02.10 is affected
Version 2026.02.11 is affected
Version 2026.02.12 is affected

Credits

JasperX (VulDB User) reporter

References

Problem Types