14 matches found
VulnCheck KEV: CVE-2026-21891
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...
CVE-2025-64427
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses e.g., 127.0.0.1, localhost, or...
CVE-2025-64427
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses e.g., 127.0.0.1, localhost, or...
CVE-2025-64427 ZimaOS is vulnerable to Server-Side Request Forgery (SSRF)
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses e.g., 127.0.0.1, localhost, or...
EUVD-2025-208196
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses e.g., 127.0.0.1, localhost, or...
EUVD-2026-9206
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, th...
CVE-2026-21891
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...
EUVD-2026-1670
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a...
EUVD-2025-29750
Malicious code in bioql PyPI...
EUVD-2025-29749
Malicious code in bioql PyPI...
CVE-2025-58432
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v21/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT...
CVE-2025-58431
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v21/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT...
CVE-2025-58432
ZimaOS (a CasaOS fork for Zima devices and x86-64 with UEFI) contains a local privilege-escalation flaw in the /v2_1/files/file/uploadV2 API. In versions before and including 1.4.1, any user with localhost access can upload files via this endpoint and have them executed with root privileges, enab...
CVE-2025-58432 ZimaOS Privilege Escalation using localhost calls to File API Upload
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v21/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT...