CVE-2026-28207

Exploit

EPSS 0.01%
Veröffentlicht 26.02.2026 22:17:58
Zuletzt bearbeitet 03.03.2026 00:48:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Z-libs ≫ Zen C Version < 0.4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.019

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.3	1.3	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com	6.6	1.8	4.7	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2

Vendor Advisory

Exploit

Mitigation

https://f0nduesav0yarde.github.io/blog/vulnerabilities/cve-2026-28207/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-28207

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28207

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28207

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28207