CVE-2026-28207

Name of the Vulnerable Software and Affected Versions Zen C versions prior to 0.4.2

Description A command injection issue exists in the Zen C compiler. Prior to version 0.4.2, a local attacker can execute arbitrary shell commands by providing a specially crafted output filename via the -o command-line argument. The issue resided in the main application logic, specifically in src/main.c, where the compiler constructed a shell command string using the system() function. The system() function invoked a shell, interpreting shell metacharacters within the output filename, leading to arbitrary command execution. The vulnerable component is the system() function. The attacker needs to influence the command-line arguments passed to the zc compiler.

Recommendations Update to Zen C version 0.4.2 or later.