F0Nduesav0Yarde

**Name of the Vulnerable Software and Affected Versions** Zen C versions prior to 0.4.2 **Description** A command injection issue exists in the Zen C compiler. Prior to version 0.4.2, a local attacker can execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The issue resided in the `main` application logic, specifically in `src/main.c`, where the compiler constructed a shell command string using the `system()` function. The `system()` function invoked a shell, interpreting shell metacharacters within the output filename, leading to arbitrary command execution. The vulnerable component is the `system()` function. The attacker needs to influence the command-line arguments passed to the `zc` compiler. **Recommendations** Update to Zen C version 0.4.2 or later.