CVE-2026-12104
Received Received - Intake
OS Command Injection in SIMA GmbH Bondix

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: Switzerland Government Common Vulnerability Program

Description
OS command injection in the environment and tunnel configuration functionality in SIMA GmbH Bondix through version 1.25.7.5 on Linux allows an authenticated attacker with configuration write access to execute arbitrary operating-system commands via crafted configuration values passed to server-side scripts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-12104
EUVD
EUVD-2026-38031
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
sima_gmbh bondix to 1.25.7.5 (inc)
sima_gmbh bondix 1.25.7.6
sima_gmbh bondix 1.26.01.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12104 is a high-severity OS command injection vulnerability in SIMA GmbH Bondix Server on Linux platforms, affecting versions up to and including 1.25.7.5.

This vulnerability allows an authenticated attacker who has configuration write access to execute arbitrary operating system commands by submitting specially crafted configuration values that are processed by server-side scripts.

The issue exists specifically in the environment and tunnel configuration functionality of the software.

Impact Analysis

If exploited, this vulnerability can allow an attacker with configuration write access to execute arbitrary commands on the affected system.

This could lead to unauthorized control over the server, potentially compromising system integrity, confidentiality, and availability.

Because the attacker must be authenticated and have configuration write access, the risk is limited to users with elevated privileges, but the impact remains high due to the ability to run arbitrary OS commands.

Detection Guidance

This vulnerability involves OS command injection via crafted configuration values processed by server-side scripts in Bondix Server on Linux. Detection would require identifying unauthorized or suspicious configuration changes or command executions.

No specific detection commands or network indicators are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade Bondix Server to version 1.25.7.6 or later, where the issue has been fixed.

  • Restrict administrative and configuration write access to trusted users only.
  • Keep Bondix installations updated regularly.
  • Review release notes for security-relevant changes.

If you suspect your system is affected, contact SIMA GmbH support with detailed information including affected versions, reproduction steps, and relevant logs or configuration details.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart