CVE-2026-28798CRITICAL 10.0EPSS p30.4%

CVE-2026-28798CVE-2026-28798

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.4% · 2026-06-19T12:03:05Z
Published2026-04-03
Last modified2026-04-13

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3
  2. https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-21891
CVE
CVE-2026-28286
CVE
CVE-2026-28442
CVE
Zyxel Multiple Firewalls OS Command Injection Vulnerability
CVE
Zyxel Multiple NAS Devices Command Injection Vulnerability
CVE
Zyxel DSL CPE OS Command Injection Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.