SSA-779310
Vulnerability from csaf_siemens - Published: 2026-06-30 00:00 - Updated: 2026-06-30 00:00Summary
SSA-779310: Arbitrary Code Execution Vulnerability in Mendix Studio Pro Before V11.12
Notes
Summary: Mendix Studio Pro versions before V11.12 are affected by a file parsing vulnerability that could be triggered when the application reads specially crafted malicious project during the build pipeline. This could allow an attacker to execute arbitrary code in the context of that user.
Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
General Recommendations: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.
Affected versions of Mendix Studio Pro do not properly validate or sanitize project files processed during the build pipeline. This could allow an attacker who tricks a user into opening and running a specially crafted malicious project locally on their system to execute arbitrary code in the context of that user.
5.4 (Medium)
Affected products
Known affected
26 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mendix Studio Pro 10.11
Siemens / Mendix Studio Pro 10.11
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.12
Siemens / Mendix Studio Pro 10.12
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.13
Siemens / Mendix Studio Pro 10.13
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.14
Siemens / Mendix Studio Pro 10.14
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.15
Siemens / Mendix Studio Pro 10.15
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.16
Siemens / Mendix Studio Pro 10.16
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.17
Siemens / Mendix Studio Pro 10.17
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.18
Siemens / Mendix Studio Pro 10.18
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.19
Siemens / Mendix Studio Pro 10.19
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.20
Siemens / Mendix Studio Pro 10.20
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.21
Siemens / Mendix Studio Pro 10.21
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.22
Siemens / Mendix Studio Pro 10.22
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.23
Siemens / Mendix Studio Pro 10.23
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 10.24 < V10.24.21
Siemens / Mendix Studio Pro 10.24
|
vers:intdot/<10.24.21 |
Vendor Fix
fix
|
|
|
Mendix Studio Pro 11.0
Siemens / Mendix Studio Pro 11.0
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.1
Siemens / Mendix Studio Pro 11.1
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.10
Siemens / Mendix Studio Pro 11.10
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.11
Siemens / Mendix Studio Pro 11.11
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.2
Siemens / Mendix Studio Pro 11.2
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.3
Siemens / Mendix Studio Pro 11.3
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.4
Siemens / Mendix Studio Pro 11.4
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.5
Siemens / Mendix Studio Pro 11.5
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.6 < V11.6.7
Siemens / Mendix Studio Pro 11.6
|
vers:intdot/<11.6.7 |
Vendor Fix
fix
|
|
|
Mendix Studio Pro 11.7
Siemens / Mendix Studio Pro 11.7
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.8
Siemens / Mendix Studio Pro 11.8
|
vers:all/* |
No Fix Planned
|
|
|
Mendix Studio Pro 11.9
Siemens / Mendix Studio Pro 11.9
|
vers:all/* |
No Fix Planned
|
References
2 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited. (TLPv2: TLP:CLEAR)",
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Mendix Studio Pro versions before V11.12 are affected by a file parsing vulnerability that could be triggered when the application reads specially crafted malicious project during the build pipeline. This could allow an attacker to execute arbitrary code in the context of that user.\n\nSiemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.",
"title": "Summary"
},
{
"category": "general",
"text": "As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens\u0027 operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.\n\nAdditional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-779310: Arbitrary Code Execution Vulnerability in Mendix Studio Pro Before V11.12 - HTML Version",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-779310.html"
},
{
"category": "self",
"summary": "SSA-779310: Arbitrary Code Execution Vulnerability in Mendix Studio Pro Before V11.12 - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-779310.json"
}
],
"title": "SSA-779310: Arbitrary Code Execution Vulnerability in Mendix Studio Pro Before V11.12",
"tracking": {
"current_release_date": "2026-06-30T00:00:00.000Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-779310",
"initial_release_date": "2026-06-30T00:00:00.000Z",
"revision_history": [
{
"date": "2026-06-30T00:00:00.000Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "interim",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.11",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.11"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.12",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.12"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.13",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.13"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.14",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.14"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.15",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.15"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.16",
"product_id": "6"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.16"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.17",
"product_id": "7"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.17"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.18",
"product_id": "8"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.18"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.19",
"product_id": "9"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.19"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.20",
"product_id": "10"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.20"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.21",
"product_id": "11"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.21"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.22",
"product_id": "12"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.22"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 10.23",
"product_id": "13"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.23"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c10.24.21",
"product": {
"name": "Mendix Studio Pro 10.24 \u003c V10.24.21",
"product_id": "14"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 10.24"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.0",
"product_id": "15"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.0"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.1",
"product_id": "16"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.1"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.10",
"product_id": "17"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.10"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.11",
"product_id": "18"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.11"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.2",
"product_id": "19"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.3",
"product_id": "20"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.3"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.4",
"product_id": "21"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.4"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.5",
"product_id": "22"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:intdot/\u003c11.6.7",
"product": {
"name": "Mendix Studio Pro 11.6 \u003c V11.6.7",
"product_id": "23"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.6"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.7",
"product_id": "24"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.7"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.8",
"product_id": "25"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.8"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "Mendix Studio Pro 11.9",
"product_id": "26"
}
}
],
"category": "product_name",
"name": "Mendix Studio Pro 11.9"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-48192",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "description",
"text": "Affected versions of Mendix Studio Pro do not properly validate or sanitize project files processed during the build pipeline.\r\nThis could allow an attacker who tricks a user into opening and running a specially crafted malicious project locally on their system to execute arbitrary code in the context of that user.",
"title": "CVE Description"
}
],
"product_status": {
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26"
]
},
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no fix is planned",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"24",
"25",
"26"
]
},
{
"category": "vendor_fix",
"details": "Update to V10.24.21 or later version",
"product_ids": [
"14"
],
"url": "https://docs.mendix.com/releasenotes/studio-pro/10.24/"
},
{
"category": "vendor_fix",
"details": "Update to V11.6.7 or later version",
"product_ids": [
"23"
],
"url": "https://docs.mendix.com/releasenotes/studio-pro/11.6/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26"
]
}
],
"title": "CVE-2026-48192"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…