SecuriTricks - CVE-2026-28442

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether the targeted path belongs to restricted system locations. This demonstrates improper input validation and broken access control on sensitive filesystem operations. No known public patch is available.

Product(s) Impacted

Vendor	Product	Versions
Zima	Zimaos	1.5.2-beta3
Casaos	Casaos	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-73

External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
o	zima	zimaos	1.5.2-beta3	/	/	/	/	/	/	/
o	casaos	casaos	/	/	/	/	/	/	/	/

References

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-q5hp-59wm-9xq3

CVSS Score

8.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

View Vector String

Timeline

Published: March 5, 2026, 9:16 p.m.
Last Modified: March 6, 2026, 5:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-28442