Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

110 matches found

Nuclei
Nucleiadded 11 hours ago22 views

ZimaOS <= v1.2.4 - Sensitive Information Disclosure

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/apporder.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json,...

7.5CVSS5.9AI score0.20599EPSS
Exploits1References3
Nuclei
Nucleiadded yesterday10 views

ZimaOS - Authentication Bypass

ZimaOS = 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames. id: CVE-2026-21891 info: name: ZimaO...

9.8CVSS5.9AI score0.02169EPSS
Exploits1References2
GithubExploit
GithubExploitadded 2026/04/05 6:1 p.m.109 views

Exploit for External Control of File Name or Path in Zimaspace Zimaos

zimaos-cve-2026-28286...

9.9CVSS6AI score0.0041EPSS
Exploits2
RedhatCVE
RedhatCVEadded 2026/04/04 10:54 p.m.2 views

CVE-2026-28798

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

10CVSS5.8AI score0.00387EPSS
Exploits1References1
NVD
NVDadded 2026/04/03 8:16 p.m.3 views

CVE-2026-28798

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

10CVSS0.00387EPSS
Exploits1References2
Cvelist
Cvelistadded 2026/04/03 8:0 p.m.14 views

CVE-2026-28798 Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

9CVSS0.00387EPSS
Exploits1References2
ATTACKERKB
ATTACKERKBadded 2026/04/03 8:0 p.m.2 views

CVE-2026-28798

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

9CVSS5.8AI score0.00387EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/03 8:0 p.m.2 views

CVE-2026-28798 Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

9CVSS5.8AI score0.00387EPSS
Exploits1References2
EUVD
EUVDadded 2026/04/03 8:0 p.m.3 views

EUVD-2026-18843

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint /v1/sys/proxy exposed by ZimaOS's web interface can be abused via an externally reachable domain using a Cloudflare Tunnel to make requests to internal localhost...

9CVSS5.8AI score0.00387EPSS
Exploits1References2
CVE
CVEadded 2026/04/03 8:0 p.m.11 views

CVE-2026-28798

ZimaOS (fork of CasaOS for Zima devices and x86-64 with UEFI) before version 1.5.3 exposes a proxy endpoint at /v1/sys/proxy in its web interface. When the product is reachable from the Internet via a Cloudflare Tunnel , an externally reachable domain can abuse this endpoint to make requests to i...

10CVSS5.8AI score0.00387EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologiesadded 2026/04/03 12:0 a.m.2 views

PT-2026-30213

Name of the Vulnerable Software and Affected Versions ZimaOS versions prior to 1.5.3 Description ZimaOS, a fork of CasaOS, has an issue where the /v1/sys/proxy API endpoint, exposed through its web interface, can be exploited to make requests to internal localhost services. This allows...

9CVSS5.9AI score0.00387EPSS
Exploits1References6
CNNVD
CNNVDadded 2026/04/03 12:0 a.m.7 views

ZimaOS 代码问题漏洞

ZimaOS is an open-source operating system project by IceWhaleTech, aimed at providing a lightweight, high-performance, and secure operating environment. Versions of ZimaOS prior to 1.5.3 had code vulnerabilities. These vulnerabilities stemmed from the exposed proxy endpoints in the web interface,...

10CVSS5.9AI score0.00387EPSS
Exploits1References2
RedhatCVE
RedhatCVEadded 2026/03/07 1:44 a.m.5 views

CVE-2026-28442

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

8.5CVSS5.8AI score0.00304EPSS
Exploits1References1
VulnCheck KEV
VulnCheck KEVadded 2026/03/07 12:0 a.m.2 views

VulnCheck KEV: CVE-2026-21891

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...

9.8CVSS5.8AI score0.02169EPSS
In wildExploits1References24
NVD
NVDadded 2026/03/05 9:16 p.m.6 views

CVE-2026-28442

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

8.5CVSS0.00304EPSS
Exploits1References1
Cvelist
Cvelistadded 2026/03/05 8:38 p.m.29 views

CVE-2026-28442 ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

8.5CVSS0.00304EPSS
Exploits1References1
EUVD
EUVDadded 2026/03/05 8:38 p.m.5 views

EUVD-2026-9879

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

8.5CVSS5.9AI score0.00304EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2026/03/05 8:38 p.m.3 views

CVE-2026-28442 ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

8.5CVSS5.8AI score0.00304EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/03/05 8:38 p.m.4 views

CVE-2026-28442

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

8.5CVSS5.9AI score0.00304EPSS
Exploits1References2
CVE
CVEadded 2026/03/05 8:38 p.m.12 views

CVE-2026-28442

ZimaOS 1.5.2-beta3 (a CasaOS fork) exposes an improper input validation and broken access control in filesystem operations. By altering the path parameter in the delete API, restricted system files/directories can be removed, bypassing UI protections. Backend lacks validation to ensure the path i...

8.5CVSS5.9AI score0.00304EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder