CVE-2026-28286

Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3

Description ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application restricts file and folder creation in internal OS paths through the user interface. However, these restrictions can be bypassed by directly interacting with the API. A crafted request targeting paths such as /etc or /usr allows the creation of files or directories in locations where normal users lack write access. This occurs because the API does not properly validate the target path, enabling unauthorized operations on critical system directories. The API endpoint is vulnerable to path traversal attacks. The vulnerable parameter is the target path provided in the API request.

Recommendations Update ZimaOS to a newer version that contains a fix for this vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.