What is the CVSS score of CVE-2026-28442?

CVE-2026-28442 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Zimaos are affected by CVE-2026-28442?

CVE-2026-28442 affects ZimaOS 1.5.2-beta3 and allows attackers to bypass file deletion restrictions, potentially enabling unauthorized modification or destruction of critical system files.

Is there a public PoC exploit available for CVE-2026-28442?

Yes, a public proof-of-concept exploit is available for CVE-2026-28442. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-28442?

Within 24 hours: Inventory all ZimaOS 1.5.2-beta3 deployments and assess their criticality and exposure to untrusted users. Within 7 days: Implement network segmentation to restrict administrative access, disable unnecessary user privileges, and enable comprehensive audit logging of file system operations. Within 30 days: Upgrade to the next available stable ZimaOS release or alternative platform if patches remain unavailable; evaluate switching to CasaOS or other hardened alternatives.

Zimaos CVE-2026-28442

HIGH

External Control of File Name or Path (CWE-73)

2026-03-05 security-advisories@github.com

Authentication Bypass Zimaos

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

PoC Detected

Mar 12, 2026 - 13:07 vuln.today

Public exploit code

CVE Published

Mar 05, 2026 - 21:16 nvd

HIGH 8.5

DescriptionGitHub Advisory

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether the targeted path belongs to restricted system locations. This demonstrates improper input validation and broken access control on sensitive filesystem operations. No known public patch is available.

AnalysisAI

ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass UI restrictions and remove critical system files and directories. Public exploit code exists for this vulnerability, and the lack of input validation on path parameters enables attackers with API access to potentially render the system unbootable or cause denial of service. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to ZimaOS API

Exploit

Craft delete request with manipulated path parameter

Execution

Bypass path validation checks

Impact

Delete critical system files and directories

Access

Authenticate to ZimaOS API

Exploit

Craft delete request with manipulated path parameter

Execution

Bypass path validation checks

Impact

Delete critical system files and directories

Vulnerability AssessmentAI

Exploitation	Authenticated user account required (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ZimaOS 1.5.2-beta3 deployments and assess their criticality and exposure to untrusted users. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-28442 vulnerability details – vuln.today

Back

Zimaos CVE-2026-28442

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code