CVE-2026-28286CRITICAL 9.9EPSS p32.6%

CVE-2026-28286CVE-2026-28286

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.6% · 2026-06-19T12:03:05Z
Published2026-03-02
Last modified2026-03-05

Underlying weaknesses· 1

CWE-73

References

  1. https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g

1

TypeTargetConfidenceTier
WeaknessExternal Control of File Name or Pathcwe-730%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28442
CVE
CVE-2026-21891
CVE
CVE-2026-28798
CVE
CVE-2026-32056
CVE
Zyxel Multiple Firewalls OS Command Injection Vulnerability
CVE
CVE-2025-14108
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.