CVE-2026-28286 - Vulnerability Analysis
HighCVSS: 8.5Last Updated: March 2, 2026
ZimaOS - Broken Access Control
Published: March 2, 2026Updated: March 2, 2026Remote Exploitable
Overview
ZimaOS 1.5.2-beta3 contains a broken access control vulnerability caused by insufficient validation of file path inputs in the API, letting attackers create files or directories in restricted system paths, exploit requires direct API access.
Severity & Score
Severity: High
CVSS Score: 8.5
Impact
Attackers can create files or directories in critical system paths, potentially leading to system compromise or data tampering.
Mitigation
Update to the latest version once a patch is available.
Related Resources
Details
- CVE ID
- CVE-2026-28286
- Severity
- High
- CVSS Score
- 8.5
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-73
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H