Vulnerability Description
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Vert.X | >= 4.3.4, <= 4.5.26 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse-vertx/vert.x/pull/6102Issue TrackingPatch
- https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6Vendor AdvisoryExploit
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381ExploitIssue TrackingThird Party Advisory
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2026-6860?
CVE-2026-6860 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accept...
How severe is CVE-2026-6860?
CVE-2026-6860 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6860?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Vert.X.