PatchSiren cyber security CVE debrief
CVE-2026-11408 vertex-app CVE debrief
A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
- Vendor
- vertex-app
- Product
- vertex
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of vertex-app vertex up to 2026.02.12
Technical summary
The vulnerability is caused by improper handling of user input in the Log Viewer Endpoint, specifically in the file app/model/LogMod.js. An attacker can inject OS commands by manipulating the req.query argument.
Defensive priority
LOW
Recommended defensive actions
- Apply the patch 805d82e7100d49b79b3beb1b9420e8e458987198 to resolve this issue.
Evidence notes
The CVE record and NVD detail can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-11408) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-11408). Additional information can be found at [ref-4](https://drive.google.com/drive/folders/1DO-kB1eUoB1CksJ_ZKzpUaX0kp5Rgm_T?usp=sharing), [ref-5](https://gist.github.com/menelausx/e632faba4014474fcef6a1f541ca3e4e), [ref-6](https://github.com/vertex-app/vertex/), and [ref-7](https://github.com/vertex-app/vertex/commit/805d82e7100d49b79b3beb1b9420e8e458987198).
Official resources
CVE-2026-11408 was published on 2026-06-06T11:16:48.347Z and modified on 2026-06-08T14:57:14.757Z.