CVE-2026-28286

Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3

Description ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. The application enforces restrictions in the user interface to prevent the creation of files or folders in internal OS paths. However, these restrictions can be bypassed when interacting directly with the API. A crafted request targeting paths like /etc, /usr, or other sensitive system directories allows the creation of files or directories in locations where normal users should not have write access. The API does not properly validate the target path, enabling unauthorized operations on critical system directories. The vulnerable API endpoint does not specify any parameters or functions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.