CVE-2026-6860

EUVD-2026-27655
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
eclipseCNA
6.9 MEDIUM
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
eclipsevert.x
4.3.4 ≤
𝑥
≤ 4.5.26
CNA
eclipsevert.x
5.0.0 ≤
𝑥
≤ 5.0.11
CNA
References
https://github.com/eclipse-vertx/vert.x/pull/6102
https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381