Home / Vulnerability Intelligence / CVE-2026-28286

CVE-2026-28286 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: March 2, 2026

ZimaOS - Broken Access Control

Published: March 2, 2026Updated: March 2, 2026Remote Exploitable

Overview

ZimaOS 1.5.2-beta3 contains a broken access control vulnerability caused by insufficient validation of file path inputs in the API, letting attackers create files or directories in restricted system paths, exploit requires direct API access.

Severity & Score

Severity: High

CVSS Score: 8.5

EPSS Score: 5.5%(Probability of exploitation in next 30 days)

Impact

Attackers can create files or directories in critical system paths, potentially leading to system compromise or data tampering.

Mitigation

Update to the latest version once a patch is available.

References

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 2, 2026

🟠 CVE-2026-28286 - High (8.5) ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. H... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28286/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28286
Severity: High
CVSS Score: 8.5
Type: broken_access_control
Status: unconfirmed
EPSS: 5.5%
Social Posts: 1

CWE

CWE-73

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

5.5%Probability of exploitation in the next 30 days