Home / Vulnerability Intelligence / CVE-2026-28207

CVE-2026-28207 - Vulnerability Analysis

MediumCVSS: 6.6

Last Updated: February 26, 2026

Zen C - Command Injection

Published: February 26, 2026Updated: February 26, 2026PoC Available

Overview

Zen C < 0.4.2 contains a command injection caused by unsanitized output filename in the -o argument passed to system() in src/main.c, letting local attackers execute arbitrary shell commands, exploit requires control over compiler arguments.

Severity & Score

Severity: Medium

CVSS Score: 6.6

Impact

Local attackers can execute arbitrary shell commands with the privileges of the user running the compiler.

Mitigation

Update to version 0.4.2 or later.

References

https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-28207
Severity: Medium
CVSS Score: 6.6
Type: command_injection
Status: new

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L