Home / Vulnerability Intelligence / CVE-2026-28442

CVE-2026-28442 - Vulnerability Analysis

HighCVSS: 8.5

Last Updated: March 6, 2026

ZimaOS - Broken Access Control

Published: March 5, 2026Updated: March 6, 2026Remote Exploitable

Overview

ZimaOS 1.5.2-beta3 contains a broken access control vulnerability caused by improper validation of the path parameter in delete requests, letting attackers delete internal system files via the API, exploit requires API access.

Severity & Score

Severity: High

CVSS Score: 8.5

EPSS Score: 4.2%(Probability of exploitation in next 30 days)

Impact

Attackers can delete critical system files, potentially causing system instability or denial of service.

Mitigation

Update to the latest version once a patch is available or implement proper path validation and access controls.

References

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-q5hp-59wm-9xq3

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-28442 - High (8.5) ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28442/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28442
Severity: High
CVSS Score: 8.5
Type: broken_access_control
Status: new
EPSS: 4.2%
Social Posts: 1

CWE

CWE-73

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

4.2%Probability of exploitation in the next 30 days