CVE-2026-12104 | OS command injection in the environment and tunnel configura… | CVSS 8.6 HIGH

Description

OS command injection in the environment and tunnel configuration functionality in SIMA GmbH Bondix through version 1.25.7.5 on Linux allows an authenticated attacker with configuration write access to execute arbitrary operating-system commands via crafted configuration values passed to server-side scripts.

Metadata

CVE ID: CVE-2026-12104
State: PUBLISHED
Assigner: NCSC.ch
Reserved: 2026-06-12 14:28 UTC
Published: 2026-06-19 13:41 UTC
Last updated: 2026-06-19 15:03 UTC
Primary CWE: CWE-78
CWE-78 Improper neutralization of special elements used in a…
Vendor / Product: SIMA GmbH / Bondix Server
Sources: cve.org · NVD

Severity & Metrics

8.6 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

Affected products (1)

Vendor	Product	Platform	Versions
SIMA GmbH	Bondix Server	Linux	0 ≤ 1.25.7.5, 1.25.7.6

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber

References (2)