CVE-2026-15512
Received Received - Intake

Code Injection in Pig-Mesh Pig Visual Component

Vulnerability report for CVE-2026-15512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability was identified in pig-mesh Pig up to 3.9.2. Affected by this issue is some unknown functionality of the file \pig-master\pig-visual\pig-codegen\src\main\java\com\pig4cloud\pig\codegen\service\impl\GeneratorServiceImpl.java of the component pig-codegen. Such manipulation leads to code injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
pig4cloud pig_mesh to 3.9.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15512 is a critical remote code execution (RCE) vulnerability in the pig-mesh PIG microservice platform, specifically affecting versions up to 3.9.2. The flaw exists in the pig-codegen module, which uses the Apache Velocity template engine to render user-defined templates without proper security controls.

Attackers can exploit this vulnerability by injecting malicious Velocity templates through the template management API. This injection bypasses access restrictions using Java reflection, allowing execution of arbitrary system commands remotely.

The attack involves sending a PUT request with a malicious payload to update a template, which is then stored in the database. A subsequent GET request to the /generator/preview endpoint retrieves and executes the malicious template, triggering remote code execution.

Successful exploitation can create files on the server, demonstrating full control over the system via the vulnerability.

Impact Analysis

This vulnerability allows an attacker to remotely execute arbitrary code on the affected system, potentially leading to full system compromise.

  • Attackers can run system commands, manipulate files, and control the server environment.
  • It can lead to unauthorized access, data theft, service disruption, or use of the compromised system as a launchpad for further attacks.
  • Because the exploit is publicly available, the risk of exploitation is high.
Detection Guidance

This vulnerability can be detected by attempting to exploit the template injection via the pig-codegen module's template management API. Specifically, you can send a crafted PUT request to update a template with a malicious Velocity template payload that executes a system command, such as creating a file. Then, a GET request to the /generator/preview endpoint can trigger the execution of the injected template.

  • Send a PUT request with a payload like: #set($x=$math.getClass().forName('java.lang.Runtime').getRuntime().exec('touch /tmp/pwned')) to the template management API.
  • Send a GET request to /generator/preview to trigger the execution of the malicious template.

If the file /tmp/pwned is created on the system, it confirms successful exploitation and presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the template management API and the /generator/preview endpoint to trusted users only, as the vulnerability allows remote code execution via template injection.

Avoid using unfiltered or unsafe template engines like Apache Velocity with user-defined templates without proper security controls.

Monitor and audit template updates for suspicious payloads or unexpected changes.

If possible, apply patches or updates from the vendor once available, or consider disabling the vulnerable pig-codegen component until a fix is released.

Compliance Impact

The vulnerability allows remote code execution through unfiltered template injection, which can lead to unauthorized access and manipulation of system resources.

Such unauthorized access and potential data breaches could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

However, the provided information does not explicitly mention the direct impact on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart