CVE-2026-21891CRITICAL 9.8EPSS p79.9%

CVE-2026-21891CVE-2026-21891

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.17% probability of exploitation · percentile 79.9% · 2026-06-19T12:03:05Z
Published2026-01-08
Last modified2026-01-12

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4
  2. https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28286
CVE
CVE-2026-28798
CVE
CVE-2026-28442
CVE
CVE-2026-29193
CVE
CVE-2026-1803
CVE
CVE-2025-54391
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.