CVE-2026-28442

Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3

Description ZimaOS, a fork of CasaOS, exhibits a security issue where restrictions on deleting internal system files and folders can be bypassed through manipulation of the API. Specifically, altering the path parameter in a delete request allows users to remove sensitive operating system files and directories. The backend does not validate if the targeted path is within restricted system locations, indicating improper input validation and broken access control on filesystem operations. The API endpoint used for deletion accepts a path parameter that is not properly sanitized. The path parameter is vulnerable to manipulation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.